Skip to Content

Is my computer ready for the 2026 Secure Boot certificate expiration?

By: Author Alex Lim

Posted on

Categories Virtualization

Home » Virtualization » Is my computer ready for the 2026 Secure Boot certificate expiration?

Why is the Secure Boot update failing on Dell and Hyper-V systems?

The deadline for the Secure Boot certificate expiration is approaching in June 2026. While Microsoft intended a smooth transition via standard Windows updates, administrators and users are encountering significant technical barriers. These hurdles primarily stem from virtualization incompatibilities and manufacturer-specific hardware restrictions.

The Virtualization Bottleneck: Hyper-V Compatibility

A critical issue currently affects Microsoft Hyper-V virtual machines (VMs). Users attempting to apply the 2023 Key Exchange Key (KEK) update often face failure, specifically triggering EventID 1795.

This error occurs because the Platform Key (PK) currently used by many Hyper-V VMs does not match the serial number expected by the update package. Essentially, the update attempts to replace a key that the VM does not recognize.

Current Status and Solution

Microsoft has acknowledged that Hyper-V does not yet support these KEK updates.

  • The Fix: Microsoft plans to release a patch enabling this support in March 2026.
  • Action Required: Once the March update releases, the certificate refresh should occur automatically upon the next VM restart. No manual intervention should be necessary after patching the host.

Other Virtual Environments

Competitor platforms have already addressed this.

  • VMware: Supports the new certificates starting with version 8.2.
  • Proxmox: Compatible from version 9.1.4 (specifically via the pve-edk2-firmware package, version 4.2025.05-1).

Hardware Conflicts: The Dell BIOS Restriction

Users installing the January 2026 Preview Update (KB5074105) on Dell systems have reported persistent installation failures. This update contains the code necessary to replace the aging Secure Boot certificates.

The Root Cause

Unlike manufacturers such as ASUS or MSI, Dell restricts Windows Update from modifying critical Secure Boot certificates directly. Dell requires these changes to occur via a proprietary UEFI BIOS update. Consequently, when Windows Update attempts to write the new keys, the hardware blocks the action.

Advisory for Dell Owners

  1. Manual Intervention: You cannot rely solely on Windows Auto-Update. You must check Dell’s official support site for a BIOS update explicitly stating, “This BIOS contains the new 2023 Secure Boot Certificates.”
  2. Legacy Hardware Risk: Older Dell systems that have reached End-of-Life (EOL) status will likely not receive this BIOS update.
  3. The Consequence: If a legacy system cannot receive the new certificate, you may be forced to disable Secure Boot and TPM to maintain functionality after the June 2026 cutoff, which significantly lowers the device’s security posture.

Monitoring and Verification

For systems administrators managing fleets of devices, reactive troubleshooting is inefficient. You can proactively monitor compliance status through the Intune Admin Center.

Navigate to Reports > Windows Autopatch > Windows Quality Updates. This dashboard displays the current Secure Boot status of managed devices, allowing you to identify vulnerable endpoints before the June deadline. Thorough preparation now will prevent critical boot failures later this year.