Windows secure boot certificate, how is this even possible?

[-]

djtterb@reddit

Stupid question… will the Linux hosts I host on Win10 Hyper-V still work if they are G1?

Reply

[-]

Technical_Gold_8278@reddit

Yes. Secure Boot is pre-boot. Hyper-V is post boot. You won't receive the secure boot patch unless you are on the Windows 10 ESU program which expires Oct 2026.

Reply

[-]

bjc1960@reddit

Regarding the Sh1tSh0w comment,, outside of the sysadmin and intune subreddits, there is not a whole lot of visibility or awareness. My org is behind, but rapidly catching up.

Reply

[-]

xtobotn@reddit

I hope I'm wrong, but I think that this will get a lot of visibility as soon as machines start to hang at boot.

Reply

[-]

bjc1960@reddit

we had about 100 bitlocker key requests for the april release. That got some attention. CEO could not boot

Reply

[-]

frankv1971@reddit (OP)

I know, even a supplier I contacted was not aware.

Reply

[-]

Can somebody tell me exactly after the June certificate expiration, on a physical workstation, that has Secure Boot enabled, and the assessment script from Microsoft signal something missing regarding this? Will they reboot and hang at the BIOS? Or what else?

Reply

[-]

TheJesusGuy@reddit

We have until June don't we?

Reply

[-]

frankv1971@reddit (OP)

Your saying, plenty of time left 🤪

Reply

[-]

DL72-Alpha@reddit

If you bring it up with your manager it will obviously only take 15 minutes. Why are you stressing?

Reply

[-]

Break2FixIT@reddit

I have seriously updated 45 servers within a week. GPO and power shell for the win.

Reply

[-]

pc_load_letter_in_SD@reddit

Would love to know as well. All my servers have been for days at... UEFICA2023Status ---------------- InProgress

Reply

[-]

NoURider@reddit

Please share process.

Reply

[-]

HearthOfDarkness@reddit

what process did you use?

Reply

[-]

praetorthesysadmin@reddit

lmao If you manage a fleet of hundred or thousands of servers, that would be just a huge shitshow.

Reply

[-]

TheJesusGuy@reddit

I dont and neither is this guy. If you do, you and your team should have done or be done planning.

Reply

[-]

eater_of_spaetzle@reddit

You can apply the 2023 certs after the 2011 certs expire. You will have a reduced security posture though.

Reply

[-]

Own_Back_2038@reddit

You will have a reduced security posture once windows releases an update that needs to be signed with the new cert

Reply

[-]

looncraz@reddit

This is why I avoid Secure Boot, it's a Microsoft lock down on every system that uses it even if you don't use Windows.

Reply

[-]

TheJesusGuy@reddit

And that's fine on your personal machine, but this is r/sysadmin

Reply

[-]

Apachez@reddit

Secure Boot have never stopped any malware ever.

Reply

[-]

Own_Back_2038@reddit

Secure boot has almost eliminated firmware root kits. It doesn’t stop malware, it mitigates it by preventing it from messing with the preboot environment

Reply

[-]

Apachez@reddit

If this would be remotely true then all the current RATs would be nonexistent - which they unfortunately isnt. Number of malwares have instead accelerated since the introduction of "secure boot" which isnt secure at all to begin with.

Reply

[-]

Own_Back_2038@reddit

RATs don’t need to compromise the boot environment, that just helps with persistence and EDR evasion

Reply

[-]

looncraz@reddit

No, firmware CoT did that. You can't flash firmware on basically any motherboard without the system validating it now. Secure Boot has no role in that. The hardware rooted chain of trust is at the CPU level and is what protects the firmware path, Secure Boot DOES NOT do this. Secure Boot is the firmware checking that the OS is signed, it ensures that the boot loader is legitimate. That's what it does. That's all it does. It does NOT prevent firmware rootkits, it doesn't even make them harder to implement. It prevents Windows from getting a root kit. That's it. AMD's PSP doesn't need Secure Boot to protect the system. Windows needs Secure Boot to verify that it's what's actually booting on the hardware first (after the firmware).

Reply

[-]

TheJesusGuy@reddit

Okay, deploy 200 Windows 11 workstations without it enabled. Go.

Reply

[-]

jake04-20@reddit

You can actually do this with MDT with ease lol.

Reply

[-]

TheJesusGuy@reddit

And how about your security certifications

Reply

[-]

jake04-20@reddit

What do you mean? Security certifications as in like CompTIA Security+ cert?

Reply

[-]

TheJesusGuy@reddit

Like cyber essentials plus or iso 27001..

Reply

[-]

jake04-20@reddit

What about it? You said "deploy 200 Windows 11 workstations without [secure boot] enabled", you didn't say do it AND be compliant... lol.

Reply

[-]

Apachez@reddit

To be security compliant I wouldnt use Windows to begin with :D

Reply

[-]

riazzzz@reddit

May as well disable windows updates, they cause no end of problems every month and if my machines ever get viruses I just wipe them! /s

Reply

[-]

xfilesvault@reddit

Right, it’s a Microsoft lock down that keeps your system secure, even if you don’t use Windows…

Reply

[-]

looncraz@reddit

In order for that vector of attack to work you already have to have FULLY compromised. At that point I wipe the machines anyway. Nothing gained from Secure Boot except vendor lock-in.

Reply

[-]

xfilesvault@reddit

"At that point I wipe the machines anyway." If you knew you were compromised. Which you don't. If the malware loads before the OS, then you don't know what's going on and it can hide from antivirus.

Reply

[-]

looncraz@reddit

It needs to get in that far, first. At which point you're already screwed, Secure Boot or not. The vendor lock-in is extremely evident - Microsoft is the only signer for Secure Boot certificates on most systems. Linux kernels are signed by Microsoft to be able to work with Secure Boot.

Reply

[-]

Own_Back_2038@reddit

Without secure boot wiping the machine might not be enough. You don’t know if the firmware is legitimate or not

Reply

[-]

looncraz@reddit

Of course I do, there's not a system out there today without digitally signed and encrypted firmware. To compromise the firmware also requires a machine specific exploit, leaked master keys, and more. It's happened, sure, but not at any scale for the last decade or more since motherboard firmware started being encrypted and signed - and that is without Secure Boot, the hardware won't allow non-genuine firmware.

Reply

[-]

slippery_hemorrhoids@reddit

lol

Reply

[-]

New-Seesaw1719@reddit

And you can still boot the drive in another machine anyway

Reply

[-]

r4x@reddit

What's the easiest way to do the update on an air gapped network, no intune, with secure boot and bitlocker required?

Reply

[-]

nyckidryan@reddit

Sneakernet.

Reply

[-]

r4x@reddit

Well yeah sure but like what? I read Microsoft docs and VMware docs and don't really understand the process

Reply

[-]

rundgren@reddit

Secure Boot specifically does not provide enough security ( in a server setting ) to be worth the cost of complexity IMO.

Reply

[-]

mb194dc@reddit

I checked some of my cloud based servers last week servers and realized it's not even enabled.

Reply

[-]

pdp10@reddit

We don't use any Secure Boot on servers. But then, our production is almost entirely running Linux, and the servers are in physically-secured and audited datacenters. I've been amusing myself by using the `fwupd`/LVFS stack to update UEFI dbx and UEFI CA on lab servers, just to see how it's working out. Not every UEFI firmware is amenable, at least not without twiddling UEFI settings.

Reply

[-]

Schourend@reddit

My assumption (correct me if im wrong) - Microsoft releases the update in badges. - Most important for now is making sure the BIOS is up-to-date with a version the manufacturer prescribes.

Reply

[-]

beren12@reddit

And for the hundreds of millions of machines with no more bios updates??

Reply

[-]

pdp10@reddit

The UEFI CA (updated trust anchors) update and UEFI dbx (blacklisted keys) are hardware vendor agnostic. They [come nominally from the UEFI Forum, but essentially from Microsoft](https://uefi.org/revocationlistfile). Linux LVFS/`fwupd` can generally update the `UEFI CA` and `UEFI dbx` on UEFI systems, at least if everything is working as it expects, regardless of hardware support status. `dbxtool -a` is supposed to be able to apply a `UEFI dbx` update manually, as well.

Reply

[-]

Laxarus@reddit

Not exactly, you just need to upload new keys to bios via UEFI instead of using OEM keys. There was this github repo about it (using mosby) and I think rufus github page also covers this. Is it a PITA? Yes. Is this gonna screw you when cmos battery dies? Yes. So, backup your bitlocker keys before doing any of them

Reply

[-]

KnightNZ@reddit

The existing BIOS is likely already full of unpatched CVEs in that case anyway. Turn SecureBoot off and hope you dont need Bitlocker.

Reply

[-]

jess-sch@reddit

All major manufacturers allow you to enroll custom secure boot keys in the UEFI.

Reply

[-]

Walbabyesser@reddit

Disable secure boot - not pretty, but 🤷🏻‍♂️

Reply

[-]

Schourend@reddit

They are f*cked.

Reply

[-]

frankv1971@reddit (OP)

I would hope that the last batch had been released 3 months before the expiry date 🫣. My HyperV virtual machines should have been updated by now as MS controls the secure boot of them.

Reply

[-]

Imobia@reddit

If you think physical servers are bad, VMware never anticipated the need to update a vm’s bios. Go check out the process for doing that! I’ve got 1000’s of systems that we have NFI how to fix as it’s all manual.

Reply

[-]

pdp10@reddit

You have to offline the host and migrate guests, then boot from external media for the firmware updates and validation. At scale, it's ideal to PXE/iPXE netboot straight into automation with error-handling and logging. But, are you really needing, or even leveraging, Secure Boot, on ESXi clusters that are probably behind locked doors anyway? I'm a hundred times more interested in [updating a wide variety of storage-drive firmware](https://www.reddit.com/r/sysadmin/comments/1pi7s7y/tips_for_updating_the_firmware_of_nonenterprise/) than in Secure Boot.

Reply

[-]

thetrivialstuff@reddit

> I never met such a shitshow in more than 25 years in IT. Come on, man, you were around for both Y2K and the George W. Bush "let's all find out that Windows can only handle one set of daylight saving rules at a time" law; this is a mild inconvenience at best :P

Reply

[-]

frankv1971@reddit (OP)

Y2K was a lot of hype, we had no issue then, but we had a full hardware refresh, so I am not complaining. Even our SAP systems had no problems then, the C suites had been terrified then 😁. The Bush thing never landed in Europe so I cannot comment on that one 🫣

Reply

[-]

BlockBannington@reddit

I can't believe someone in IT would say stupid shit like this (first part)

Reply

[-]

frankv1971@reddit (OP)

That is your opinion. My personal experience and that of many others is that there was a lot of fuss but in the end most problems were minor. The company I worked for had done a complete overhaul of their IT before 2000 and as said not much happened. I was on standby but never called that night. https://preview.redd.it/zv7phdikanrg1.png?width=1008&format=png&auto=webp&s=e22f9b2dcb6bd68685cdf3694e45999b19a24094

Reply

[-]

BlockBannington@reddit

No respect for devs these days. How unfortunate.

Reply

[-]

VexingRaven@reddit

Genuinely deserved, tbh.

Reply

[-]

frankv1971@reddit (OP)

For devs it was different. However I thought we were talking about sysadmins here 🫣

Reply

[-]

BlockBannington@reddit

Alright, I'm done here. Just unfortunate

Reply

[-]

Apachez@reddit

Next fun day might become in 2038 when the Minuteman systems becomes confused =)

Reply

[-]

frankv1971@reddit (OP)

By that time I hope to have retired :D

Reply

[-]

iceph03nix@reddit

And moved off planet?

Reply

[-]

frankv1971@reddit (OP)

I checked what you mean with minuteman systems (had not heard of it). I guess that could be a new issue for the future. We will see if this is picked up before 2035 😁

Reply

[-]

Apachez@reddit

Im thinking about these: https://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587 https://sgs.princeton.edu/00000000 https://github.com/Zaneham/Minuteman-computer-emulator > Sixty years later, the D37C is still in service. The current Minuteman III missiles use guidance computers that are, architecturally, the same machines. They've been refurbished, certainly. But the instruction set? The 24-bit words? The rotating disc memory concept? Still there. > > The US Air Force has been trying to replace them since the 1990s. It's... not gone well.

Reply

[-]

thetrivialstuff@reddit

> Y2K was a lot of hype, we had no issue then, Ah, so you weren't on any of the fixing crews for that, then. > The Bush thing never landed in Europe so I cannot comment on that one 🫣 It caused a few problems for the parts of Europe that do daylight saving time - before the change, e.g. London was always exactly 8 hours difference from Vancouver. After the change, twice a year there'd be a period where it went "oops, now we're 7 hours different because one of us moved time zones for DST, oops, now we're 8 hours again!"

Reply

[-]

frankv1971@reddit (OP)

\>Ah, so you weren't on any of the fixing crews for that, then. As mentioned, we had a complete hardware refresh by then, also legacy software was already patched or replaced. In general there was a lot of fear for large scale outages but to my knowledge (and from what I remember) there were only minor issues. We have daylight savings time, I honestly cannot remember this ever being an issue in Europe.

Reply

[-]

cluberti@reddit

…correct. Now you’re on the other side where you will be the one doing all of the frustrating but necessary work under an unmovable date so that in 20 years when the next one arises, people will say “it was no big deal!” when they talk about this problem. Welcome to the other side a lot of us were on in the late 90s.

Reply

[-]

Brilliant-Advisor958@reddit

Y2K was" hype" because of the effort that went into fixing it.

Reply

[-]

VexingRaven@reddit

At least you could tell ahead of time if you were ready for y2k. Unless there's been a recent change, current guidance for enterprises using autopatch is "we'll handle it but also check these reg keys at some unspecified point in the future, no we won't tell you when you should worry if they aren't populated, good luck!"

Reply

[-]

Adam_Kearn@reddit

It’s been posted all over the internet for the last year now so you have had plenty of notice. Most of it can be done by pushing out updates. A lot of the entriprise hardware have interfaces like HP BIOS Configuration Utility to enrol certs programatically.

Reply

[-]

Fuzzy_Paul@reddit

What is the question?

Reply

[-]

AP_ILS@reddit

Having to go into the BIOS on every workstation we have to restore defaults is the part that irks me the most. The Dell servers we have are so finicky. If you have Windows update the certs before you update the BIOS, the process fails and you have to follow different steps to get it updated which involves cutting the power off to the server entirely. Doing a shutdown isn't enough, the power has to be disconnected, or it may be possible to do through iDrac. It's so dumb.

Reply

[-]

Darkk_Knight@reddit

If you're using iDrac you can apply the BIOS updates that way.

Reply

[-]

bentleythekid@reddit

Just did this myself. It sounds like you're talking about hyper-v as the host for the VMs? The march updates are required for hyper-v hosts. There are several steps: Windows Server Secure Boot playbook for certificates expiring in 2026 | Microsoft Community Hub https://share.google/wB9HH9e4q84wEfIUd You need: -OS updates - potentially hardware / firmware updates - a method of deploying the certificate (gpo should work since you don't have intune) If you've already gone through the steps and it's still not working, check the event logs.

Reply

[-]

bjc1960@reddit

We have been struggling. I finally had Claude build me a script, and after a few days of failing, I got it fixed and we are 60% remediated. We are running as a detect/remediate.

Reply

[-]

log_a_ticket@reddit

I got bored of seeing the Intune policy error 65000 for this, so used the remediation script method and now our entire fleet is uptodate 5 days later.

Reply

[-]

RedditSold0ut@reddit

That 65000 error has been solved as far as i can tell

Reply

[-]

log_a_ticket@reddit

Not for us it hasn’t. Out of 500 devices only 120 show as taking the Intune profile ok.

Reply

[-]

RedditSold0ut@reddit

What OS version are you running? Or do you use hotpatch? https://support.microsoft.com/en-gb/topic/known-issues-and-resolutions-for-secure-boot-certificates-updates-5813673d-2577-4718-ad28-2554a9178e40 https://www.reddit.com/r/Intune/s/VC6fLg3g9G

Reply

[-]

log_a_ticket@reddit

W11 25h2, Autopatch with hot patch enabled. 2026.03 OOB

Reply

[-]

RedditSold0ut@reddit

Sounds like hotpatch is the issue then since it gets another update branch than the normal servicing branch. You'll have to wait for the next baseline cumulative update to be released.

Reply

[-]

frankv1971@reddit (OP)

Remediation script, tell me more. 😁

Reply

[-]

log_a_ticket@reddit

https://www.tbone.se/2026/02/06/update-secure-boot-certificate-by-using-intune-remediation-take-2/ There’s others floating about too

Reply

[-]

ka-splam@reddit

SuperMicro's documentation page says the new certificate is in firmware 2.6. Firmware 2.6 is not released, not in beta, and their support has no ETA for it.

Reply

[-]

frankv1971@reddit (OP)

I feel your pain.

Reply

[-]

pops107@reddit

I've just started checking one of my customers PCs and it's stupid. Got several of the same machines, bios up to date, some have done the certs some haven't. Started looking at scripts and bits to force it but apparently it might trigger secure boot and have to enter the key. Plan at the moment is give it a month then pull the trigger on the script's and cross fingers.

Reply

[-]

RedditSold0ut@reddit

Its just a simple registry change. I've done it on over 1000 clients with no reported issue. Getting the certs requires 2 reboots in total, after having received the registry change which allows the PCs to renew the cert. The bios must also be new enough, most sources say a 2024-version or newer should suffice

Reply

[-]

Apachez@reddit

By using Microsoft and Adobe products everyday becomes a shitshow :D

Reply

[-]

ka-splam@reddit

Linux and VMWare use the Microsoft SecureBoot certificate.

Reply

[-]

frankv1971@reddit (OP)

The fun of being in IT has left the building years ago. At least in the past I really liked it, now with all that is going on, the ever lasting battle of securing and making sure (hoping) your not the next victim of some group in Russia or North Korea that ruins your work is taking its toll.

Reply

[-]

Wolfram_And_Hart@reddit

Is this the 1801 error? Try this poweshell, you may want to turn off but locker and restart twice. `Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force Install-Module UEFIv2 -Force Get-UEFISecureBootCerts db | select SignatureSubject WinCsFlags.exe /apply --key "F33E0C8E002" Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" `

Reply

[-]

frankv1971@reddit (OP)

Part of the machines have this error indeed. I will check this out

Reply

[-]

Wolfram_And_Hart@reddit

The “start-scheduled task” should be on a seperate line

Reply

[-]

eater_of_spaetzle@reddit

>I never met such a shitshow Telle you don't use Crowdstrike without telling me you don't use Crowdstrike.

Reply

[-]

frankv1971@reddit (OP)

I know from stories here that that was a cluster fuck. Indeed not impacted 🫣

Reply

[-]

Substantial_Tough289@reddit

Have you checked your system log? Look for TPM-WMI events, those are key to diagnose what could be going on. Did 4 hosts and about 20 G2 VMs with no problems after updating the host BIOS and applying the 2026-03 CU to all machines, all in premise and a combo of 2019 and 2025s. The only issue I had was that the Hyper-V PK expired in 2014 and even the 2025 host has it expired, after a ton of research finally got word from MS that is being ignored, that means that I'm officially done with the freaking secure boot fiasco. Links that may be useful: [https://github.com/microsoft/secureboot\_objects/issues/318](https://github.com/microsoft/secureboot_objects/issues/318) [https://github.com/microsoft/secureboot\_objects/issues/370](https://github.com/microsoft/secureboot_objects/issues/370) [https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023/comments/4498803](https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---february-2026/4486023/comments/4498803) [https://support.microsoft.com/en-us/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69](https://support.microsoft.com/en-us/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69)

Reply

Reply to Post

103 Comments