I've been reading about the recent changes Microsoft is making to the Secure Boot certificates, specifically replacing the older 2011 keys with new ones before they expire. Most information seems to be focused on physical workstations, but I'm curious about how this impacts Windows Server VMs that have Secure Boot enabled.
In environments with many long-running VMs (like 2016/2019/2022 versions that have been just patched and kept alive), I have a few questions:
* Do the new Secure Boot certificates get updated automatically through Windows Update inside the VM?
* Is the update dependent on the hypervisor or the virtual UEFI implementation?
* Could older VM templates or hardware versions lead to potential issues in the future?
I'm trying to determine whether this is simply a "keep patching and forget about it" scenario, or if there's more diligence required in monitoring VM fleets regarding this. Has anyone explored this issue or run into any problems?
1 Answer
It depends on your hypervisor. Some require you to manually update the secure boot certificate. Just keep an eye on your setup and follow the guidelines provided by your virtualization platform.
Does Hyper-V handle this automatically through Windows Updates, or is it manual?