Looking for confirmation on a Google Cloud advisory we received about the upcoming Microsoft Secure Boot certificate rotation (deadline June 24, 2026).
The advisory listed two of our GCP projects as potentially needing attention. After reviewing our setup, I believe no action is required, but I’d like a sanity check before we close the loop internally.
Our configuration
- All VMs are Linux (stock Ubuntu images from
ubuntu-os-cloud) - Shielded VM settings on all instances:
- Secure Boot: off (GCE default for Linux)
- vTPM: on (GCE default — enabled but not used by any workload)
- Integrity Monitoring: on
- No custom or imported images
- No disk encryption via LUKS
- No Windows VMs, no BitLocker
- No workload seals secrets to the vTPM
My understanding
The advisory’s filter appears to flag any project containing VMs with vTPM enabled, regardless of whether the vTPM is actually used to seal secrets. Because vTPM is on by default for all GCE VMs, this catches a very broad set of projects.
The certificate rotation should only impact:
- VMs that boot with Secure Boot enabled, or
- Workloads that seal secrets to the TPM
Since we do neither, I believe we’re not actually affected.
Questions
- Is the above understanding correct?
- Is there any scenario where a Linux VM with Secure Boot off and an unused vTPM would still be impacted by the Microsoft UEFI CA 2011 / Windows Production PCA 2011 rotation?
- Is being listed in the advisory simply a side effect of the broad filter, and safe to ignore for setups like ours?
Thanks in advance.