Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
Arden_White's avatar
Arden_White
Icon for Microsoft rankMicrosoft
Mar 11, 2026

Hi PeDe83​ the March updates need to be applied to both the host and the guest.

  • Host changes are to allow KEK updates to the NVRAM
  • Guest changes are to include a Hyper-V PK signed KEK that the guest can apply to the firmware.

If I'm remembering correctly, if you look at the SYSTEM log at the TPM-WMI source, you'll see a 1795 event if the host is not updated and the guest is. Otherwise, you'll see an 1803 event if the host is updated and the guest is not.

atomBravo's avatar
atomBravo
Copper Contributor
Mar 13, 2026

Arden_White​ are there details available in a KB on these changes available in this month's updates, or more information about applying the updates for Hyper-V hosts/guests? 

Microsoft has provided very little information with regarding the Secure Boot cert expirations on Hyper-V.  Some really useful information would be version numbers of installed QFEs with the necessary certs/fixes, and details like you just provided (the fact that both the host OS and the guest OS have to be patched, and the 1795/1803 event IDs). 

Also, information what order the patches should be applied (host, then guest?), and how I can streamline patching, cert updates, and reboots this across dozens of hosts would be really useful... especially since Microsoft has only given us 3 months until the CA expiration and enterprises have limited change windows available.

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Mar 13, 2026

    Hi AB,

    I think you are making a good point about the need for more consolidated release notes specific to this effort. We do publish release notes for individual fixes, but today it can be difficult to find and correlate the pieces across updates.

    I will take this feedback back to my team and see what makes sense. It may be appropriate for guidance like this to live as a dedicated section on this page:
    https://support.microsoft.com/topic/updates-and-announcements-313b5279-2a3b-438a-83a5-3d5e2c5fc4a3 

    Regarding update ordering, there is no required sequence. It does not matter whether updates are applied to hosts or guests first. If a system has been triggered to apply the Secure Boot certificates, it will continue retrying until it succeeds.

    Arden