Event details
Navigating Secure Boot certificate updates in virtualized environments? Drop in to Secure Boot Office Hours and ask your questions live in the comments. For one hour, experts will be available to discuss Hyper-V, Azure offerings, Windows 365, VMware, and other virtualization scenarios. Whether you're still planning for certificate updates, validating your rollout, or troubleshooting an issue, come get the answers you need from the people closest to the technology.
There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.
How do I participate?
Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 9:00 AM PDT, after which comments and replies will be closed.
Post your questions now for tomorrow's Office Hours. We'll have members of the Windows 365 and Azure Virtual Desktop teams "in the office" as well as members of Broadcom to answer your questions about updating Secure Boot certificates for Cloud PCs and virtual machines, including VMware environments.
Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.
38 Comments
- G0B1IN5486Copper Contributor
Hi! We have legacy hardware running Hyper-V, supporting legacy EUC and general workloads. This hardware is running Server 2016, using legacy boot and is planned to be decommissioned after the first year of ESU, to allow for adequate planning for cloud migration into an extended zone. While the secure boot updates have successfully updated the active DB on the virtual machines, we are hit with blocking failures when reprovisioning/scaling VDI workloads as the default DB provided by Hyper-V doesn't accept the updated bootloader which is signed with the new certificates. It can be reproduced against existing VMs when resetting the NVRAM as well. We have raised a case but they are adamant for us to rebuild as it was not a scenario that was tested. Is there a way we can work around this without rebuilding Hyper-V with UEFI / server OS > 2016?
- Prabhakar_MSFT
Microsoft
Hello G0B1IN5486
Hyper-V VMs should be able to update the certs to new 2023 certificates when you set the registry key AvailableUpdates value to 0x5944. Are you observing failure to apply certs via this method?
- Cliff_HughesTin Contributor
I found if the Hyper-V host does not support secure boot, then the VM's won't support it either. Also if the Hyper-V VM is an older format, and does not include secure boot, then it will not be able to be updated, I have server VM that was running server 2016 and is now on Server 2022 but has never had Secure boot enabled or available since it was an old Gen 1 VM. As far as I know, you need to have a secure boot enable Host, and you will need to rebuild the VM to support Secure Boot. Unless there is an easier way, I would love to know!