Investigate whether we need to upgrade Azure instance ID certs #1147
Description
From Microsoft:
Update certificates for Azure Instance Metadata Service
You're receiving this notification because you're associated with one or more Azure subscriptions that use Azure Instance Metadata Service (IMDS) Attested data.
Starting in January 2026, Microsoft will introduce new certificates issued by new Subordinate Certificate Authorities (Sub CAs). These will replace the current Sub CAs, which expire in April 2026. The Azure Instance Metadata Service will start using these new certificates in January 2026.
Most customers don't need to take action. You can ignore this message if your application does not use certificate pinning on IMDS Attested data.
Recommended action
We recommend discontinuing certificate pinning. If you must continue using certificate pinning, update your allowed list to include all CA certificates used by Azure services before 6 January 2026. This will help prevent disruptions when using the Attested data endpoints in your application. Please continue to monitor the documentation by keeping both current and newly added root or intermediate CAs in your applications or devices until the transition period ends in April 2026 (necessary to prevent connection interruptions).
Note: Not all regions have the same timeline. You can find additional details and timelines by region here.
If you aren't the owner of the application or marketplace image, check the updates from the application or image owners who are responsible to determine whether the application or image licensing is impacted.
Help and support
If you have questions, get answers from community experts in the Azure Instance Metadata Service Attested data certificate changes FAQ. If you have a support plan and you need technical help, please create a support request.