Update to Secure Boot 2023 certificates for Azure Virtual Desktop deployments by June 2026
I received an email that in June 2026, Secure Boot 2011 certificates will begin to expire. To maintain protection against new boot-level threats, Azure Virtual Desktop deployments should be updated to Secure Boot 2023 certificates by June 2026. The registry on my VDI is having two UEFI keys with error codes. Please advise how to update to the new secure boot certificates.
-
Manish Deshpande 7,010 Reputation points • Microsoft External Staff • Moderator
Hey Vasil, it looks like your session hosts already see both the 2011 and 2023 certs, but the registry is stuck in “InProgress” and throwing 0x80070005 (access denied) and Event ID 1795. To get those UEFI variables fully updated to the 2023 Secure Boot certificates, here’s what you can do:
- Confirm your Azure Virtual Desktop session hosts meet the basics • They must be Generation-2 VMs with Secure Boot enabled in the Azure portal (Session hosts > Boot diagnostics > UEFI settings). • They need the latest Windows cumulative updates so that the 2023 certificate update packages are present.
Trigger the UEFI variable update via supported deployment methods Microsoft ships the new 2023 CA certificates as a Windows Update package (for example, KBs in Windows 10 22H2 / Windows 11 cumulative updates). You can deploy and enforce that update by: • Windows Update for Business or WSUS – let the update flow normally. • Microsoft Intune – create a Settings Catalog profile using the “Windows Platform > Secure Boot certificate update” CSP to stage and apply the certificates. • Group Policy – if you’re on-prem, use the corresponding ADMX/ADML for Secure Boot variable updates. • Registry/CSP script – in isolated environments you can set the UEFIVariableUpdate CSP node or write the necessary registry values under HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot and then reboot.
Reboot and validate After installation you must reboot the VM. On startup Windows will write the new CA chain into the UEFI DB, DBX and KEK. Once complete, check: • UEFICA2023Status = “Updated” • UEFICA2023Error = 0 • Event IDs 1801/1795 no longer appear And of course ensure WindowsUEFICA2023Capable = 1.
Pilot, then roll out Always start with one or two session hosts to confirm the process works (especially if you’re BitLocker-enabled). Once you see the registry values flip to “Updated” and no BitLocker prompts trigger, roll out to the rest of your pool.
If you run into permission/access-denied errors again (0x80070005), double-check that:
- You’re running the update as a local administrator (or under the SYSTEM context if using Intune/GPO).
- No third-party security software is blocking UEFI variable writes.
Let me know:
- The exact OS build (e.g. Windows 10 22H2 build 19045.xxx or Windows 11 build 22621.xxx)
- How you’re deploying updates today (Intune, WSUS, manual) and I’ll point you to the specific CSP or policy settings to push.
Thanks,
Manish. -
Vasil Danchev 0 Reputation points
Hi Manish,
This is Windows 11 Enterprise multi-session version 10.0.22631. I am deploying updates manually via Windows Update and the session host is up to date.
Vasil
-
Manish Deshpande 7,010 Reputation points • Microsoft External Staff • Moderator
Hi @Vasil Danchev ,
Thanks for the follow-up that OS build detail helps a lot.
A value of 2 means the 2023 certificate is not just present in the UEFI DB — the device is actively booting from it. The boot manager transition on the last reboot completed successfully. So the most critical piece of this update is already done on your session host.
Why you're still seeing
InProgress+0x80070005+ Event ID 1795Azure Gen 2 virtual machines, including Azure Virtual Desktop multi-session hosts, do not support guest OS–initiated updates of Secure Boot variables such as KEK/DB/DBX. This is exactly why the registry-based method leaves
UEFICA2023Statusstuck atInProgressand logs Event ID 1795 with "Access is denied" from TPM-WMI on Hyper-V UEFI firmware.In other words this isn't a Windows permissions problem or a missing update. It's a platform-level restriction in how Azure's Hyper-V UEFI firmware works. The guest OS simply cannot write to the KEK slot directly. This is expected behavior on Azure VMs and is a known pattern documented in the Microsoft Q&A community.
What you should actually do
Step 1 — Confirm your VM security type
In the Azure portal, go to Virtual machines → your session host → Configuration → Security type.
- If it's Trusted Launch with Secure Boot enabled → certificates must be updated (you're in this bucket).
- If it's Standard security or Gen 1, or Secure Boot is disabled → no action needed for the 2023 certificates.
Step 2 — Verify the DB certificate is applied (it likely is)
Run this in an elevated PowerShell session on the session host:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')If this returns
True, the 2023 certificate is in the Secure Boot DB and you are protected. Combined withWindowsUEFICA2023Capable = 2, this confirms the key part of the update is complete.Step 3 — Run Microsoft's Inventory Script
Microsoft provides a Sample Secure Boot Inventory Data Collection script that checks Secure Boot certificate update status — it collects Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity. Run this across your host pool to get a clear picture. You can find it linked from the AVD-specific support article below.
Step 4 — For golden images / Azure Compute Gallery
For Azure Virtual Desktop environments using Azure Compute Gallery images, apply the Secure Boot 2023 certificate update to the golden image before capturing it, then verify certificates are updated before provisioning new session hosts.
Step 5 — For the KEK update specifically
The documentation does not describe a separate Azure-side backend handling plan for KEK 2023 on Gen 2 AVD VMs beyond the general statement that most devices will receive the new 2023 Secure Boot certificates automatically. Microsoft is rolling this out at the platform level for Trusted Launch VMs. The
InProgressstate for KEK on Azure Gen 2 is something you can report via Azure Support if it remains stuck after June 2026, but theUEFICA2023StatusbeingInProgresswithWindowsUEFICA2023Capable = 2is not a critical failure state for AVD.TL - DR for your environment (Windows 11 Enterprise multi-session 22631, manual Windows Update):
Registry Value What it means UEFICA2023Status = InProgressKEK write blocked by Azure Hyper-V UEFI — expected on AVD Gen 2 UEFICA2023Error = 0x80070005Access denied to UEFI KEK variable — platform restriction, not a Windows bug WindowsUEFICA2023Capable = 2DB cert applied, boot manager updated — you're in good shape Links for reference :
Thanks,
Manish -
Manish Deshpande 7,010 Reputation points • Microsoft External Staff • Moderator
Hello @Vasil Danchev
I wanted to check if my last response made sense. I’d be glad to assist further or explain anything in more detail and please accept as Yes and upvote if the answer is helpful so that it can help others in the community.
Sign in to comment
1 answer
-
Scott Nguyen 1,550 Reputation points • Independent Advisor
Hello Vasil Danchev,
Based on the first error log, the issue indicates an “Access Denied” failure. This behavior commonly occurs in Azure Virtual Desktop environments when the SYSTEM account does not have Full Control permissions on the
%windir%directory.To resolve this, you should first reset the permissions and restore
NT SERVICE\TrustedInstalleras the owner of the%windir%\WinSxSdirectory using theicaclstool.Next, clear the cached update state by stopping the
wuauserv,bits, andcryptSvcservices, then rename the%windir%\SoftwareDistributionfolder. After clearing the cache, run:DISM /Online /Cleanup-Image /RestoreHealthThis command repairs corrupted manifests that may be preventing the certificate payload orchestration process.
Since this is an Azure Virtual Desktop environment, it is recommended to execute these commands through the Azure Portal’s “Run Command” script feature.
Finally, perform a full stop and deallocation of the session host in the Azure Portal. This forces the underlying hypervisor to re-evaluate the Trusted Launch configuration and successfully commit the updated keys to NVRAM.
For a more detailed step-by-step guide, please refer to the official Microsoft documentation:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/troubleshoot-windows-update-error-0x80070005-
Vasil Danchev 0 Reputation points
Hello Scott,
Thanks for the instructions. To be clear, I do not have issues with Windows Update. I just installed updates for May fine. Regardless, I made sure that NT SERVICE\TrustedInstaller is the owner of the two folders. Then cleared the cached update state and ran the DISM command. After deallocating the VM and starting it again I see no change in the registry. I would prefer to work directly with Microsoft support to investigate further but Azure Portal did not allow me to submit a support request, instead redirected me to the Q&A forum. I am concerned that Microsoft will revoke the old UEFI cert at some point and my VDIs will fail to boot. Please advise how to proceed further.
Sign in to comment -