Does Server 2025 automagically comply?

Both fresh install & Server 2022 update?

VMware has not yet released an updated virtual hardware/BIOS package for this issue (only manual steps). Do we need to worry about the virtual hardware/Bios update offered by VMware if we’re already seeing the “Updated”/ WindowsUEFICA2023Capable =2 results we’re getting now within the registry? We also get the result of “True” using the verification command - ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes)) -match "Windows UEFI CA 2023".  From a compliance perspective, does this mean we’re covered? For that matter, do we even need to rename the NVRAM File?

We’ve also noticed that on some of our Server 2025 systems, even when the certificates seemingly updates itself successfully, the Secure Boot scheduled task fails with a “file not found” error. Is there a way to correct this? We are not sure how to address this. It appears to be a built‑in, “solid‑state” task.

Hello, I have deployed the secure boot remediation through Intune and I see event ID 1801 that says the certificates are available but not applied and the BucketConfidenceLevel shows Need more data. Do i need to take any action on that ?

Can Secure Boot certificates be updated when Secure Boot is disabled? Microsoft’s AvailableUpdates process errors out unless Secure Boot is enabled. If a device won’t boot Windows with Secure Boot on, how can we bring it into compliance?

Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates?

Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher.

What happens in June when the current Secure Boot certificates expire? Will devices with Secure Boot still boot if their EFI partition is signed with the 2011 certificate? If so, how long past June will they continue to boot, and will they eventually stop?

I noticed that some of my clients (around 5% so far) updated only two of three Secure Boot Certificates. 
Intune Remediation script shows the following output: Microsoft UEFI CA 2023 = False, Microsoft Corporation UEFI CA 2011 = True.

Two other certificates are showing "2023" data string.

Is it expected that not all the certificates are updated at the same time?

Is there any update on KBKB5077181 being updated to address the boot loop issue?

My current status regarding dbx is that the old certificates must be moved there so that the SecureBoot certificate update can be completed successfully (managed IT environment with Windows 11 Enterprise licenses). Will there also be instructions or a PowerShell script that performs or explains this process?

Thank you for your time.

Will Microsoft release an OS upgrade that requires the EFI partition to be signed with the 2023 certificate? If so, is this expected in Windows 11 26H2, and has Microsoft announced anything about this? We want to avoid upgrading devices if it will re-sign the EFI partition before the new certificates are installed.