Secure Boot Certificate Updates for Azure Virtual Desktop
Applies To
Original publish date: February 19, 2026
KB ID: 5080931
This article has guidance for:
-
Azure Virtual Desktop administrators managing session host updates
-
Organizations using Secure Boot enabled VMs for AVD deployments
-
Organizations using custom images (golden images) for AVD deployments
In this article:
Introduction
Secure Boot is a UEFI firmware security feature that helps ensure only trusted, digitally signed software runs during a device boot sequence. The Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026. Without the updated 2023 certificates, devices will no longer receive new Secure Boot and Boot Manager protections or mitigations for newly discovered boot-level vulnerabilities.
All Secure Boot enabled VMs registered in the Azure Virtual Desktop service, and custom images used to provision them, must be updated to the 2023 certificates before expiration to remain protected. See When Secure Boot certificates expire on Windows devices
Does this apply to my AVD environment?
|
Scenario |
Secure Boot Active? |
Action Required |
|
Session Hosts |
||
|
Trusted Launch VM with Secure Boot enabled |
Yes |
Update certificates on the session host |
|
Trusted Launch VM with Secure Boot disabled |
No |
No action needed |
|
Standard security type VM |
No |
No action needed |
|
Generation 1 VM |
Not supported |
No action needed |
|
Golden Images |
||
|
Azure Compute Gallery image with Secure Boot enabled |
Yes |
Update certificates in the source image |
|
Azure Compute Gallery image without Trusted Launch |
No |
Apply updates in session host after deployment |
|
Managed image (does not support Trusted Launch) |
No |
Apply updates in session host after deployment |
For complete background information, see Secure Boot certificate updates: Guidance for IT professionals and organizations.
Inventory and Monitor
Before taking action, inventory your environment to identify devices that require updates. Monitoring is essential to confirm certificates are applied before the June 2026 deadline—even if you rely on automatic deployment methods. Below are options to determine if action needs to be taken.
Option 1: Microsoft Intune Remediations
For session hosts enrolled in Microsoft Intune, you can deploy a detection script using Intune Remediations (Proactive Remediations) to automatically collect Secure Boot certificate status across your fleet. The script runs silently on each device and reports Secure Boot status, certificate update progress, and device details back to the Intune portal — no changes are made to the devices. Results can be viewed and exported to CSV directly from the Intune admin center for fleet-wide analysis.
For step-by-step instructions on deploying the detection script, see Monitoring Secure Boot Certificate Status with Microsoft Intune Remediations.
Option 2: Windows Autopatch Secure Boot Status Report
For personal persistent session hosts registered with Windows Autopatch, go to Intune admin center > Reports > Windows Autopatch > Windows quality updates > Reports tab > Secure Boot status. See Secure Boot status report in Windows Autopatch.
Note: Windows Autopatch supports only personal persistent virtual machines for AVD. Multi-session hosts, pooled non-persistent virtual machines, and remote app streaming are not supported. See Windows Autopatch on Azure Virtual Desktop workloads.
Option 3: Registry Keys for Fleet Monitoring
Use your existing device management tools to query these registry values across your fleet.
|
Registry Path |
Key |
Purpose |
|
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing |
UEFICA2023Status |
Current deployment status |
|
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing |
UEFICA2023Error |
Indicates errors (should not exist) |
|
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet \Control\SecureBoot\Servicing |
UEFICA2023ErrorEvent |
Indicates Event ID (should not exist) |
|
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet \Control\SecureBoot |
AvailableUpdates |
Pending update bits |
For full registry key details, see Registry key updates for Secure Boot: Windows devices with IT-managed updates.
Option 4: Event Log Monitoring
Use your existing device management tools to collect and monitor these event IDs from the System event log across your fleet.
|
Event ID |
Location |
Meaning |
|
1808 |
System |
Certificates successfully applied |
|
1801 |
System |
Update status or error details |
For a full list of event details, see Secure Boot DB and DBX variable update events.
Option 5: PowerShell Inventory Script
Run Microsoft's Sample Secure Boot Inventory Data Collection script to check Secure Boot certificate update status. The script collects several data points including Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity.
Deployment
Important: Regardless of which deployment option you choose, we recommend monitoring your device fleet to confirm certificates are successfully applied before the June 2026 deadline. For custom images, see Golden Image Considerations.
Option 1: Automatic Updates from Windows Update (High-Confidence Devices)
Microsoft automatically updates devices through Windows monthly updates when sufficient telemetry confirms successful deployment on similar hardware configurations.
-
Status: Enabled by default for high-confidence devices
-
No action required unless you want to opt out
|
Registry |
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot |
|
Key |
HighConfidenceOptOut = 1 to opt out |
|
Group Policy |
Computer Configuration > Administrative Templates > Windows Components > Secure Boot > Automatic Certificate Deployment via Updates > Set to Disabled to opt out. |
Recommendation: Even with automatic updates enabled, monitor your session hosts to verify certificates are applied. Not all devices may qualify for high-confidence automatic deployment.
For more information, see Automated deployment assists.
Option 2: IT-Initiated Deployment
Manually trigger certificate updates for immediate or controlled rollout.
|
Method |
Documentation |
|
Microsoft Intune |
|
|
Group Policy |
|
|
Registry Keys |
|
|
WinCS CLI |
WinCS APIs |
Notes:
-
Do not mix IT-initiated deployment methods (e.g., Intune and GPO) on the same device—they control the same registry keys and may conflict.
-
Allow approximately 48 hours and one or more restarts for certificates to fully apply.
Golden Image Considerations
For AVD environments using Azure Compute Gallery images with Secure Boot enabled, apply the Secure Boot 2023 certificate update to the golden image before capturing it. Use one of the methods described above to apply the update, then verify certificates are updated before generalizing:
Get-ItemProperty "HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" | Select-Object UEFICA2023Status
Images without Trusted Launch enabled cannot receive Secure Boot certificate updates through the image. This includes managed images, which do not support Trusted Launch, and Azure Compute Gallery images where Trusted Launch is not enabled. For devices provisioned from these images, apply updates in the guest OS using one of the methods above.
Known issues
Servicing registry key does not exist
|
Symptom |
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing path does not exist |
|
Cause |
Certificate updates have not been initiated on the device |
|
Resolution |
Wait for automatic deployment via Windows Update, or manually initiate using one of the IT-initiated deployment methods above |
Status shows “InProgress” for extended period
|
Symptom |
UEFICA2023Status remains “InProgress” after multiple days |
|
Cause |
Device may need a restart to complete the update process |
|
Resolution |
Restart the session host and check status again after 15 minutes. If the issue persists, see Secure Boot DB and DBX variable update events for troubleshooting guidance |
UEFICA2023Error registry key exists
|
Symptom |
UEFICA2023Error registry key is present |
|
Cause |
An error occurred during certificate deployment |
|
Resolution |
Check System event log for details. See Secure Boot DB and DBX variable update events for troubleshooting guidance |
Resources
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
