Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
PeDe83's avatar
PeDe83
Brass Contributor
Mar 11, 2026

Hi Arden_White​ 
today i updated an tested Hyper-V VM (Version 9) Server 2022 DC. 0x5944->0x4004

i checked "C:\Windows\System32\SecureBootUpdates\BucketConfidenceData.cab" and then the Microsoft.json which lists my VMs BucketHash in the Section:
"Under Observation - More Data Needed": [

Any Info Regarding Servers, would like to hear more about it (tomorrow) last month it was said it should be fixed in March.

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Mar 11, 2026

    Hi PeDe83​ the March updates need to be applied to both the host and the guest.

    • Host changes are to allow KEK updates to the NVRAM
    • Guest changes are to include a Hyper-V PK signed KEK that the guest can apply to the firmware.

    If I'm remembering correctly, if you look at the SYSTEM log at the TPM-WMI source, you'll see a 1795 event if the host is not updated and the guest is. Otherwise, you'll see an 1803 event if the host is updated and the guest is not.

    • atomBravo's avatar
      atomBravo
      Copper Contributor
      Mar 13, 2026

      Arden_White​ are there details available in a KB on these changes available in this month's updates, or more information about applying the updates for Hyper-V hosts/guests? 

      Microsoft has provided very little information with regarding the Secure Boot cert expirations on Hyper-V.  Some really useful information would be version numbers of installed QFEs with the necessary certs/fixes, and details like you just provided (the fact that both the host OS and the guest OS have to be patched, and the 1795/1803 event IDs). 

      Also, information what order the patches should be applied (host, then guest?), and how I can streamline patching, cert updates, and reboots this across dozens of hosts would be really useful... especially since Microsoft has only given us 3 months until the CA expiration and enterprises have limited change windows available.

      • Arden_White's avatar
        Arden_White
        Icon for Microsoft rankMicrosoft
        Mar 13, 2026

        Hi AB,

        I think you are making a good point about the need for more consolidated release notes specific to this effort. We do publish release notes for individual fixes, but today it can be difficult to find and correlate the pieces across updates.

        I will take this feedback back to my team and see what makes sense. It may be appropriate for guidance like this to live as a dedicated section on this page:
        https://support.microsoft.com/topic/updates-and-announcements-313b5279-2a3b-438a-83a5-3d5e2c5fc4a3 

        Regarding update ordering, there is no required sequence. It does not matter whether updates are applied to hosts or guests first. If a system has been triggered to apply the Secure Boot certificates, it will continue retrying until it succeeds.

        Arden