Event details
Join Microsoft engineers for a live Ask Microsoft Anything (AMA) focused on Secure Boot certificate updates in Windows Server environments. We’ll answer your questions about deployment planning, firmware prerequisites, monitoring and troubleshooting, known issues, virtualization scenarios, and how to maintain protection against future boot-level threats. Whether you're managing a handful of servers or a large datacenter, bring your questions and get practical guidance directly from the experts helping customers navigate this important platform security update.
How do I participate?
Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast
Get started with these helpful resources
18 Comments
- erikwoldCopper Contributor
We have in some environments used Intune settings Catalogue with a tick in the box to start the update on machines we are confident will complete the process even if it’s not in high confidence (started before intune report we’re fixed). Is it safe to later add the check box for opt-in after they have been updated in case the machines is reinstalled or will this trigger a second round of updating?
- adrielmaicheCopper Contributor
Regarding games with anti-cheat that require secure launch to be enabled, will they have to update the certificates to keep these games opening?
- garlinCopper Contributor
The dirty secret is these games don't really require Secure Boot to run. What they want is to activate Virtualization Based Security (VBS) and have the stricter Windows driver security policies block any cheat software from loading.
In order to get VBS enabled, you need to have Secure Boot. If you want Secure Boot after this summer, you need to update to CA 2023.
Enabling Secure Boot is the game publishers' lazy way of blocking cheat apps that use kernel drivers.
- PankajJanweOccasional Reader
Will Windows 2022 servers need the certificate ?
- SchwarzesblutCopper Contributor
Inside Config Manager i can set the Checkbox for use the new Certificate, for a boot image.
Is this the way where i can change it easy to the new Certificate?
Or have i to mount and change the files for the boot on my own? - erikwoldCopper Contributor
«Secureboot trust…..» we see both microsoft and non-Microsoft, is that a concern in windows only environment?
- adrielmaicheCopper Contributor
Will Windows UEFI CA 2023 need to be updated every year on Windows PE drives to keep the system running?
- JawshomeOccasional Reader
The custom ESXi image from Dell etc. has not yet been updated with the new certs - AFAIK this means the updates to VM guests have to wait until after their ESXi hosts have been updated. The timelines are getting really uncomfortable - anybody else thinks this should have been done last year? :-(
- Grace_TangOccasional Reader
vSphere VM Secure Boot certificates do not depend on the ESXi host's Secure Boot certificates.
Please refer to the Broadcom KB https://knowledge.broadcom.com/external/article/423893 to see how to update VM PK, KEK and DB certificates.
- adrielmaicheCopper Contributor
I would like to know how the Microsoft Corporation UEFI CA 2011 certificate will be affected in relation to older Nvidia and AMD video cards?
And what does Microsoft recommend that people who have machines with firmware that hasn't been updated by the manufacturers and generic firmware can do to keep secure boot up to date?
- Prabhakar_MSFT
Microsoft
Hello adrielmaiche ,
Thank you for this question. Microsoft Corporation UEFI CA 2011 certificate will continue to function for validation of the components that are already signed such as option ROMs or third party boot loader modules. So systems continue to work with the current video cards and third party boot modules without any issues.
- Heather_Poulsen
Community Manager
Thanks to those that have posted their questions early. Let's keep them coming. We'll kick off today's AMA promptly at 8:00 AM PDT.
- wrootSilver Contributor
This AMA maybe is more for physical servers, but will ask here (or repost on Office Hours for VMs later).
I am testing possible approach for our VM environment (VMware 8.0.3 U3b, not U3j yet). My test VM has Windows Server 2025. I have done certificates update via registry by setting AvailableUpdates accordingly. Was getting event that it cannot update firmware as VM was in legacy mode. Updated its compatibility to the latest and reran the registry update. Now i am getting 0x4000 in the registry and last event is 1808. Below is also output from Microsoft provided script.
From what i have found so far it looks like this VM is good now. But i was trying to make sure it is using updated boot loader and AI told me to extract signature from bootmgfw.efi
Which still shows 2011. But i am not sure if i am checking this correctly. Or whether i even need to do anything further. Maybe it will just switch bootloader later this year after an update?
And what if i want to test whether it actually boots with new bootloader? Can i try to force the switch now?
Latest Event ID: 1808
Bucket ID: 876074c56d618f213d6e7230dfafd7cc7a93768dca81faf7b262ccc23912b818
Confidence: High Confidence
Event 1801 Count: 1
Event 1808 Count: 9
Update complete (Event 1808 or Status=Updated) - skipping error analysis
OS Version: 10.0.26100
Last Boot Time: 06/11/2026 16:43:36
Baseboard Manufacturer: Intel Corporation
Baseboard Product: 440BX Desktop Reference Platform
SecureBoot Update Task: Ready (Enabled: True)
WinCS Key F33E0C8E002: Applied
=== Certificate Update Summary ===
[1P] Windows UEFI CA 2023 (db): Updated
[1P] Microsoft Corporation KEK 2K CA 2023 (KEK): Updated
[3P] Microsoft Corporation UEFI CA 2011 (db): Present - 3P 2023 certs required
[3P] Microsoft UEFI CA 2023 (db): Updated
[3P] Microsoft Option ROM UEFI CA 2023 (db): Updated
===================================
- Arden_White
Microsoft
If you're getting event 1808 on a device, then the certificates AND the boot manager have been updated.
Determining the signature on the boot manager is tricky since you're looking for the intermediate certificate (the CA) in certificate chain of the signer.