Academy hub

Secure Boot certificates are expiring pt. 1

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ ๐—ฏ๐—ผ๐—ผ๐˜๐˜€ ๐—ฐ๐—ฒ๐—ฟ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—ฒ๐˜…๐—ฝ๐—ถ๐—ฟ๐—ถ๐—ป๐—ด ๐—ถ๐—ป ๐—๐˜‚๐—ป๐—ฒ ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒย – ๐—บ๐—ฎ๐—ป๐˜‚๐—ฎ๐—น ๐˜€๐˜๐—ฒ๐—ฝ๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—ฟ๐—ฒ๐—พ๐˜‚๐—ถ๐—ฟ๐—ฒ๐—ฑ ๐˜ฑ๐˜ต. 1

Microsoft says many Windows client devices may update automatically, butย Windows Server requires manual action.

I assumed this type of operation would be ๐˜€๐˜๐—ฟ๐—ฎ๐—ถ๐—ด๐—ต๐˜๐—ณ๐—ผ๐—ฟ๐˜„๐—ฎ๐—ฟ๐—ฑ.
โŒ It wasnโ€™t.

๐——๐—ถ๐˜€๐—ฐ๐—น๐—ฎ๐—ถ๐—บ๐—ฒ๐—ฟ: This is just a record of how I proceeded step by step in my own environment and what I observed. Results may differ, and Iโ€™m not finished with the full remediation yet.

โธป

๐Ÿ“ ๐—™๐—ถ๐—ฟ๐˜€๐˜ ๐—ข๐—ฏ๐˜€๐—ฒ๐—ฟ๐˜ƒ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€
As promised By Microsoft, my Windows desktops updated automatically. But you can still encounter errors and you might end up doing similar procedure to what is below.

Example below is from WS 2022 (VMware – VM version 19). And yesโ€ฆ in a VM theย virtual firmwareย matters (VM hardware version / NVRAM state / hypervisor behavior). Microsoft warns firmware issues can block Secure Boot certificate updates.

โธป

๐Ÿ”Ž ๐—ฆ๐˜๐—ฒ๐—ฝ ๐Ÿญ โ€“ ๐—–๐—ต๐—ฒ๐—ฐ๐—ธ ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—Ÿ๐—ผ๐—ด๐˜€
Look in System log for Secure Boot variable events:
โ€ข 1808 – Certificates successfully applied
โ€ข 1801 – Certificates not applied to firmware
โ€ข 1796 – Unexpected error during update step

I saw 1801 โ€” meaning nothing had actually been applied yet.

โธป

๐Ÿ”Ž ๐—ฆ๐˜๐—ฒ๐—ฝ ๐Ÿฎ โ€“ ๐—–๐—ต๐—ฒ๐—ฐ๐—ธ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐—ฆ๐˜๐—ฎ๐˜๐—ฒ
I ran Microsoftโ€™s detection script:
โ€ข Secure Boot enabled
โ€ข Nothing initiated
โ€ข Scheduled task exists

The update mechanism runs via scheduled task:
\Microsoft\Windows\PI\Secure-Boot-Update

If your server hasnโ€™t been patched recently, this task might not even exist.
My VM was patched until 01/2026.

โธป

๐Ÿ”ง ๐—ฆ๐˜๐—ฒ๐—ฝ ๐Ÿฏ โ€“ ๐—˜๐—ป๐—ฎ๐—ฏ๐—น๐—ฒ ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†๐—บ๐—ฒ๐—ป๐˜ ๐˜ƒ๐—ถ๐—ฎ ๐—š๐—ฃ๐—ข
I had to install updated Administrative Templates as I was missing the SecureBoot.admx. I then enabled:
โ€ข Enable Secure Boot Certificate Deployment

After:
โ€ข gpupdate
โ€ข Registry changes appeared
โ€ข Script confirmed deployment enabled

Then I manually triggered the task. It also runs after reboot and every 12 hours.

It requested a reboot.

โธป

โŒ ๐—ฆ๐˜๐—ฒ๐—ฝ ๐Ÿฐ โ€“ ๐—™๐—ฎ๐—ถ๐—น๐˜‚๐—ฟ๐—ฒ
After restart:
โ€ข Event 1796
โ€ข Step: KEK 2023
โ€ข Error: Invalid access to memory location

If everything goes well, it ends up here for you with event ID 1808. But not for me, this is where things became more complicated.

โธป

โš ๏ธ Virtualization Dependency (in my case – VMware)
Broadcom published guidance that some Secure Boot update failures in VMware VMs require remediation at the VM firmware / UEFI Secure Boot variable level, not just inside Windows.

In some cases, their workaround involves:
โžก Manually updating the Platform Key (PK) in the VM via UEFI setup.
Yes. You read that right. Enterprise-grade experience, right?

They mention theyโ€™re working on a more automated solution, fingers crossed.

โธป

This is far more complex than it looks on paper and I feel like this is going to be an issue for many administrators.

To be continuedโ€ฆ

buy a course