Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
Sugmuffen's avatar
Sugmuffen
Copper Contributor
Feb 25, 2026

So we have 2500 VMware VMs, where we have checked with this code:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

We also have a similar line of code that checks the KEK, they both are returning true.
But we have NOT flipped the registry key specified by Microsoft to 0x5944 and hence the status says NotStarted. In our case above, with the VMware VMs, do we need to actually flip that registry key, that iniates the process or are we good to go as it is?

/Patrick

Prabhakar_MSFT's avatar
Prabhakar_MSFT
Icon for Microsoft rankMicrosoft
Mar 12, 2026

If devices have both Windows UEFI CA 2023 and KEK CA 2023, then certificates are already updated.  Likely the VM was created on latest version of VSphere software that creates VMs with updated certificates.   UEFICAStatus shows Not Started because Boot manager is not yet updated.  To update Windows Boot manager to new 2023 certificate signed version, Set AvailableUpdtes registry key to 0x5944 and execute "Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update".  This should change the status to either updated or In Progress.   If status shows "InProgress", reboot the server and rerun the task to get the update completed.