GetSecureBoot Documentation Request: Hyper-V

[jamesaepp]

I think admins (myself included) have a lot of questions about the SB updates on Hyper-V and a new document specific to it is warranted (I think under https://aka.ms/getsecureboot would make sense to strengthen the already quality documentation there).

Some things to document (maybe a FAQ format) include:

1. March CU requirements, what changed.
2. Hotpatch vs coldpatch CU
3. Version compatibility for HV hosts supporting KEK updates (Windows Server 2012R2 I think with ESU entitlements?)
4. Gen 1 vs Gen 2 security posture
5. Compare + contrast the "features" of the three secure boot templates
6. Impacts of VMs with TPMs (and shielding)
7. Guest operating systems supported (in theory it shouldn't matter, even linux VMs updating with fwupd should work....)
8. Why is the PK expired?
9. Do VMs created after the March LCU is applied automatically include the 2023 certs? Or which version/patch combinations of HV VMs include all 2023 certs/keys "out of the box"?

[dirt-devil]

This is related to items 8 and 9.

Why is the PK expired? Don't know, it's been expired for 12 years. Did MS forgot about it or is not relevant?

Applied the 2026-03 Cumulative Update to a WS2019 host on 3/11/26 that had the BIOS updated prior, PK, KEK and DB certs updated just fine. Have followed the same procedure on the rest of our WS2019 hosts and all show the new certificates.

On 3/23/26 created a new WS2019 VM and as part of the initial software installation applied Windows Updates including the 2026-03 Cumulative Update, ran the steps to update the certificates and the KEK and DB updated. The PK certificate for Hyper-V Firmware PK is expired, it expired on 4/24/2014. This happens to all G2 V9 WS2019 VMs in our organization.

Our WS2025 host also had the BIOS updated, 2026-03 Cumulative Update installed and certificates update executed, PK, KEK and DB were updated. All the WS2025 G2 V12 VMs have the same issue, the PK certificate does not update and has the same expiration date as the WS2019 VMs, expired on 4/24/2014. Machines created after applying the 2026-03 Cumulative Update also show the same expiration date.

My question is: Shall we ignore the expired PK certificate or is MS going to issue one?

[mirtelo]

Hi,

I opened a support case with Microsoft. Once again, nothing is happening except for their question about whether I'm sure the March updates are installed.

Yes, we installed the March updates on both the Hyper-V host and the guest VM.

Host W2K22

"WH....","Installation","12.03.2026 14:24:53","2026-03 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5078766)","Succeeded","KB5078766"

Guest W2K25

"WIN...",,"16.03.2026 22:37:27","2026-03 Kumulatives Update f?r Microsoft server operating system version 24H2 f?r x64-basierte Systeme (KB5078740) (26100.32522)",Succeeded,"KB5078740"

Dont´know what to.

[mebersol]

Hey folks, my team at Microsoft contributes to the Hyper-V secure boot story. I think the ask for improved documentation on Hyper-V secure boot is valid; I believe there is already some guidance being worked on. Let me follow up with some folks (it may not happen overnight) and make sure the questions here related to Hyper-V secure boot are covered.

The PK cert isn't going to change in the short term.

[dirt-devil]

@mebersol Thank you for the clarification on the PK cert, that's what I've been looking for.