Event details

Navigating Secure Boot certificate updates in virtualized environments? Drop in to Secure Boot Office Hours and ask your questions live in the comments. For one hour, experts will be available to discuss Hyper-V, Azure offerings, Windows 365, VMware, and other virtualization scenarios. Whether you're still planning for certificate updates, validating your rollout, or troubleshooting an issue, come get the answers you need from the people closest to the technology.

There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.

How do I participate?

Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 9:00 AM PDT, after which comments and replies will be closed.

 

Post your questions now for tomorrow's Office Hours. We'll have members of the Windows 365 and Azure Virtual Desktop teams "in the office" as well as members of Broadcom to answer your questions about updating Secure Boot certificates for Cloud PCs and virtual machines, including VMware environments.

 

Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.

Heather_Poulsen
Updated Jul 07, 2026

39 Comments

  • cedricbrady's avatar
    cedricbrady
    Copper Contributor

    Do we have guidance for applying the Secure Boot certificate update to VMware vSphere virtual machines, especially VDI-style VMs that use vTPM and BitLocker encryption?

    • Grace_VMW's avatar
      Grace_VMW
      Copper Contributor

      Follow Microsoft's guidance to update the DB and KEK. If the PK is NULL, use VMware's Capsule PK update method to update it first prior to applying the KEK update.

      https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

    • Ramakumar's avatar
      Ramakumar
      Copper Contributor

       

       

      Please subscribe to Broadcom KB specified below, upcoming release has a solution for Secure Boot certificate that use vTPM and BitLocker encryption VMs

      https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

    • sandeepbyreddy's avatar
      sandeepbyreddy
      Copper Contributor

      Yes. When we provide the patch, we will release the detailed documentation for the same.
      As of now, vSphere team has published a KB article with a detailed overview. Please refer to the KB article.

  • G0B1IN5486's avatar
    G0B1IN5486
    Copper Contributor

    Hi! We have legacy hardware running Hyper-V, supporting legacy EUC and general workloads. This hardware is running Server 2016, using legacy boot and is planned to be decommissioned after the first year of ESU, to allow for adequate planning for cloud migration into an extended zone. While the secure boot updates have successfully updated the active DB on the virtual machines, we are hit with blocking failures when reprovisioning/scaling VDI workloads as the default DB provided by Hyper-V doesn't accept the updated bootloader which is signed with the new certificates. It can be reproduced against existing VMs when resetting the NVRAM as well. We have raised a case but they are adamant for us to rebuild as it was not a scenario that was tested. Is there a way we can work around this without rebuilding Hyper-V with UEFI / server OS > 2016?

    • Prabhakar_MSFT's avatar
      Prabhakar_MSFT
      Icon for Microsoft rankMicrosoft

      Hello  G0B1IN5486​ 

      Hyper-V VMs should be able to update the certs to new 2023 certificates when you set the registry key AvailableUpdates value to 0x5944.  Are you observing failure to apply certs via this method?

      • Cliff_Hughes's avatar
        Cliff_Hughes
        Tin Contributor

        I found if the Hyper-V host does not support secure boot, then the VM's won't support it either. Also if the Hyper-V VM is an older format, and does not include secure boot, then it will not be able to be updated, I have server VM that was running server 2016 and is now on Server 2022 but has never had Secure boot enabled or available since it was an old Gen 1 VM. As far as I know, you need to have a secure boot enable Host, and you will need to rebuild the VM to support Secure Boot. Unless there is an easier way, I would love to know!