Hello Microsoft Team,

We are reviewing Microsoft guidance regarding the expiration and replacement of older Secure Boot certificates and the updates required to maintain boot trust for Windows systems.

Our environment consists of Windows Server 2016, 2019, 2022, and planned 2025 virtual machines running on VMware vSphere 8 (ESXi 8). Some of these VMs were originally created many years ago and are still configured with very old VMware virtual hardware versions (for example, virtual hardware version 6), even though they are now hosted on modern ESXi hosts.

We would like clarification on how Microsoft’s Secure Boot certificate updates may affect this scenario.

Specifically:

1. Could Windows Server VMs running on legacy VMware virtual hardware versions (e.g., vHW6) encounter Secure Boot or boot trust issues as Microsoft retires older Secure Boot certificates?
2. Does Microsoft require any minimum virtual firmware or UEFI capabilities from the hypervisor or VM hardware version to properly support the updated Secure Boot trust chain?
3. From Microsoft’s standpoint, is upgrading the VMware virtual hardware version or changing the virtual firmware from BIOS to UEFI necessary to avoid potential boot failures after these certificate changes?
4. Are there known risks for older-generation VMs on VMware when applying future Windows updates related to Secure Boot trust, such as DB or DBX updates?

Our goal is to ensure our Windows Server VMs remain fully supported and do not encounter unexpected boot issues due to Secure Boot certificate lifecycle changes.

Thank you for your guidance.