Secure Boot Certificate Updates for Azure Virtual Desktop

Застосовується до
Azure Virtual Desktop

Note

  • Original publish date: February 19, 2026
  • KB ID: 5080931

Note

This article has guidance for:

  • Azure Virtual Desktop administrators managing session host updates

  • Organizations using Secure Boot enabled VMs for Azure Virtual Desktop deployments

  • Organizations using custom images (golden images) for Azure Virtual Desktop deployments

In this article:

Introduction

Secure Boot is a UEFI firmware security feature that helps ensure only trusted, digitally signed software runs during a device boot sequence. The Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026. Without the updated 2023 certificates, devices will no longer receive new Secure Boot and Boot Manager protections or mitigations for newly discovered boot-level vulnerabilities.

All Secure Boot enabled VMs registered in the Azure Virtual Desktop service, and custom images used to provision them, must be updated to the 2023 certificates before expiration to remain protected. See When Secure Boot certificates expire on Windows devices

Does this apply to my Azure Virtual Desktop environment?

Scenario Secure Boot Active? Action Required
Session Hosts
Trusted Launch VM with Secure Boot enabled Yes Update certificates on the session host
Trusted Launch VM with Secure Boot disabled No No action needed
Standard security type VM No No action needed
Generation 1 VM Not supported No action needed
Golden Images
Azure Compute Gallery image with Secure Boot enabled Yes Update certificates in the source image
Azure Compute Gallery image without Trusted Launch No Apply updates in session host after deployment
Managed image (does not support Trusted Launch) No Apply updates in session host after deployment

For complete background information, see Secure Boot certificate updates: Guidance for IT professionals and organizations.

Inventory and Monitor

Before taking action, inventory your environment to identify devices that require updates. Monitoring is essential to confirm certificates are applied before the June 2026 deadline—even if you rely on automatic deployment methods.  Below are options to determine if action needs to be taken.

Option 1: Microsoft Intune Remediations

For session hosts enrolled in Microsoft Intune, you can deploy a detection script using Intune Remediations (Proactive Remediations) to automatically collect Secure Boot certificate status across your fleet. The script runs silently on each device and reports Secure Boot status, certificate update progress, and device details back to the Intune portal — no changes are made to the devices. Results can be viewed and exported to CSV directly from the Intune admin center for fleet-wide analysis.

For step-by-step instructions on deploying the detection script, see Monitoring Secure Boot Certificate Status with Microsoft Intune Remediations.

Option 2: Windows Autopatch Secure Boot Status Report

For personal persistent session hosts registered with Windows Autopatch, go to Intune admin centerReports > Windows Autopatch > Windows quality updates > Reports tabSecure Boot status. See Secure Boot status report in Windows Autopatch.

Note

Windows Autopatch supports only personal persistent virtual machines for Azure Virtual Desktop. Multi-session hosts, pooled non-persistent virtual machines, and remote app streaming are not supported. See Windows Autopatch on Azure Virtual Desktop workloads.

Option 3: Registry Keys for Fleet Monitoring

Use your existing device management tools to query these registry values across your fleet.

Registry Path Key Purpose
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023Status Current deployment status
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023Error Indicates errors (should not exist)
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet
\Control\SecureBoot\Servicing
UEFICA2023ErrorEvent Indicates Event ID (should not exist)
HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet
\Control\SecureBoot
AvailableUpdates Pending update bits

For full registry key details, see Registry key updates for Secure Boot: Windows devices with IT-managed updates.

Option 4: Event Log Monitoring

Use your existing device management tools to collect and monitor these event IDs from the System event log across your fleet.

Event ID Location Meaning
1808 System Certificates successfully applied
1801 System Update status or error details

For a full list of event details, see Secure Boot DB and DBX variable update events.

Option 5: PowerShell Inventory Script

Run Microsoft's Sample Secure Boot Inventory Data Collection script to check Secure Boot certificate update status. The script collects several data points including Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity.

Deployment

Important

Regardless of which deployment option you choose, we recommend monitoring your device fleet to confirm certificates are successfully applied before the June 2026 deadline. For custom images, see Golden Image Considerations.

Option 1: Automatic Updates from Windows Update (High-Confidence Devices)

Microsoft automatically updates devices through Windows monthly updates when sufficient telemetry confirms successful deployment on similar hardware configurations.

  • Status: Enabled by default for high-confidence devices
  • No action required unless you want to opt out
Registry HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot
Key HighConfidenceOptOut = 1 to opt out
Group Policy Computer Configuration > Administrative Templates > Windows Components > Secure Boot > Automatic Certificate Deployment via Updates > Set to Disabled to opt out.

Note

Recommendation: Even with automatic updates enabled, monitor your session hosts to verify certificates are applied. Not all devices may qualify for high-confidence automatic deployment.

For more information, see Automated deployment assists.

Option 2: IT-Initiated Deployment

Manually trigger certificate updates for immediate or controlled rollout.

Method Documentation
Microsoft Intune Microsoft Intune method
Group Policy Group Policy Objects (GPO) method
Registry Keys Registry key method
WinCS CLI WinCS APIs

Note

  • Do not mix IT-initiated deployment methods (e.g., Intune and GPO) on the same device—they control the same registry keys and may conflict.
  • Allow approximately 48 hours and one or more restarts for certificates to fully apply.

Golden Image Considerations

For Azure Virtual Desktop environments using Azure Compute Gallery images with Secure Boot enabled, apply the Secure Boot 2023 certificate update to the golden image before capturing it. Use one of the methods described above to apply the update, then verify certificates are updated before generalizing:

Note

Get-ItemProperty "HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" | Select-Object UEFICA2023Status

Images without Trusted Launch enabled cannot receive Secure Boot certificate updates through the image. This includes managed images, which do not support Trusted Launch, and Azure Compute Gallery images where Trusted Launch is not enabled. For devices provisioned from these images, apply updates in the guest OS using one of the methods above.

Known issues

Servicing registry key does not exist

Symptom HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing path does not exist
Cause Certificate updates have not been initiated on the device
Resolution Wait for automatic deployment via Windows Update, or manually initiate using one of the IT-initiated deployment methods above

Status shows “InProgress” for extended period

Symptom UEFICA2023Status remains “InProgress” after multiple days
Cause Device may need a restart to complete the update process
Resolution Restart the session host and check status again after 15 minutes. If the issue persists, see Secure Boot DB and DBX variable update events for troubleshooting guidance

UEFICA2023Error registry key exists

Symptom UEFICA2023Error registry key is present
Cause An error occurred during certificate deployment
Resolution Check System event log for details. See Secure Boot DB and DBX variable update events for troubleshooting guidance

Resources