Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
Is this for ubuntu 20.04 vm or all other vm?Kindly provide an update ASAP.
Issue regarding secure boot certificates upgradation from 2011 to 2023 for ubuntu 20.04 VM deployed in azure environment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 41%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Jagan R
0
Reputation points
Hello,
I have an azure advisory recommendation to update the secure boot certificate from 2011 to 2023 in ubuntu 20.04 vm .I tried updating the firmware using below commands:
sudo fwupdmgr update
sudo reboot
After reboot, verify that the new certificates are present:
mokutil --db | grep -i "2023"
sudo apt update
sudo apt install --only-upgrade \
shim-signed \
grub-efi-amd64-signed \
grub-efi-amd64-bin
sudo reboot
apt list --upgradable | grep -E "shim|grub"
I found out that there is no certificate available inside vm even after the update for firmware. Kindly help me out in fixing the issue. I have rebooted the vm as well.
Azure Virtual Machines
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Himanshu Shekhar 6,710 Reputation points Microsoft External Staff Moderator2026-06-19T07:34:18.37+00:00 Option 1 Please fwupd (only if you can get fwupd ≥ 2.0.8):
sudo fwupdmgr refresh sudo fwupdmgr update sudo rebootIf fwupdmgr update reports no updates, your fwupd is too old > use Option B
Option 2 – Manual db + KEK update via efitools (reliable on 20.04): https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-for-linux-on-azure-virtual-machines-df51ba85-4e1e-4eda-b1d8-f0881970e997
# Download Azure db + KEK packages wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/KEK/Microsoft/KEKUpdate_Microsoft_PK1.bin # Apply (append) to firmware sudo efi-updatevar -a -f DBUpdate3P2023.bin db sudo efi-updatevar -a -f KEKUpdate_Microsoft_PK1.bin KEK sudo rebootAn equivalent sbsigntools/sbkeysync method is also documented in the KB if efitools isn't available.) [Secure Boo...ft Support | Support.Microsoft.com]
Order matters: please apply the firmware (db/KEK) update first, reboot and verify, and only then update shim/grub. Doing shim first risks an unbootable VM
mokutil --db | grep "UEFI CA 2023" mokutil --kek | grep "KEK 2K CA 2023"or with efit tool
efi-readvar -v db | grep "UEFI CA 2023" efi-readvar -v KEK | grep "KEK 2K CA 2023"A match on both confirms the 2023 db and KEK are enrolled in virtual UEFI firmware. After that succeeds, it's safe to apply the shim/bootloader upgrades
Take an OS-disk snapshot before you start. Recovery options per KB:
Please restore the pre-update backup, convert Trusted Launch > Standard and re-enable Trusted Launch, or export the OS VHD and redeploy from a gallery image.
Note - Canonical's incremental fwupd rollout of the 2023 CA was paused on June 11, 2026 due to issues with mtd firmware and BitLocker systems, so the fwupd path may not yet deliver on every Ubuntu build - which is another reason the manual efitools method (Option B) is the more dependable route right now
Sign in to comment
3 answers
Sort by: Most helpful
-
Jagan R 0 Reputation points
2026-06-19T07:06:38.4966667+00:00 Is this for ubuntu 20.04 VM?
-
AI answer
2026-06-19T07:01:06.85+00:00 For Azure VMs, Secure Boot trust is enforced by the UEFI firmware of the underlying host, not by certificates inside the guest OS. The 2011→2023 Secure Boot certificate transition is about updating the UEFI Secure Boot databases (DB/DBX) and KEK in firmware so that Windows (and other OS bootloaders) signed with the new 2023 CAs remain trusted.
The commands run inside Ubuntu (fwupdmgr, shim/grub updates, mokutil) affect the guest boot components and any OS-level trust stores, but they do not control or directly expose the host’s UEFI Secure Boot certificates. It is therefore expected that
mokutil --dbin the guest does not show the Microsoft 2023 Secure Boot CAs; those CAs live in the host firmware and are managed by Microsoft/Azure and OEM firmware updates.Key points from the provided guidance:
- Microsoft is transitioning from the 2011 Secure Boot CAs to new 2023 CAs (for example, Windows UEFI CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023). These are stored in the firmware Secure Boot DB/KEK, not inside the guest OS.
- Devices (including platforms hosting VMs) must be updated to the 2023 certificates before the 2011 certificates expire (starting June–October 2026) to remain in compliance and continue receiving boot-level security updates.
- If firmware blocks or fails Secure Boot updates (for example, Event ID 1795 on Windows), the guidance is to work with the OEM or platform provider and apply firmware/host updates; the fix is not inside the guest OS.
- After expiration, systems without the new 2023 CAs can still boot and receive normal OS updates, but they will no longer receive new boot-level security protections.
For an Azure Ubuntu VM:
- The advisory about 2011→2023 Secure Boot certificates refers to the host/firmware layer managed by Azure. There is no supported way from inside the Ubuntu guest to directly verify or modify those Microsoft Secure Boot CAs.
- Updating shim/grub and running
fwupdmgrin the guest is still good practice so that the guest boot chain is current and compatible with newer firmware trust anchors, but it will not make the Microsoft 2023 CAs appear inmokutil --db. - If the Azure advisory persists or indicates a platform-side issue, the next step is to treat it as a platform/firmware concern and work with Azure support so they can confirm the host’s Secure Boot certificate state and apply any required platform updates.
In summary, the absence of the 2023 Microsoft CAs in
mokutil --dbinside the Ubuntu VM does not mean the Azure advisory cannot be satisfied; the relevant certificates are managed at the firmware/host level, not inside the guest OS.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.