Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, outlining the tools and steps you can take today to proactively plan and prepare for this milestone. Join this AMA with your questions about update scenarios, inventorying your estate, and formulating the right deployment plan for your organization.

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Dec 09, 2025
AMA

113 Comments

  • HigherEdArchitect's avatar
    HigherEdArchitect
    Copper Contributor
    Dec 10, 2025

    With the new Windows events being generated, for Windows Server SKUs (primarily VMs) without Secure Boot enabled, why are Microsoft-Windows-TPM-WMI events - specifically event 1801 - being generated?  The device with secure boot disabled at the hyper visor layer doesn't update nor meet the requirements.

  • Pprasadjjoshi's avatar
    Pprasadjjoshi
    Occasional Reader
    Dec 10, 2025

    We successfully deployed the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\MicrosoftUpdateManagedOptIn (DWORD value 0x5944) via Proactive Remediation and tested applying it through Intune Settings Catalog with the following settings:

    • Enable Secure Boot Certificate Updates: Enabled
    • Configure High Confidence Opt Out: Disabled
    • Configure Microsoft Update Managed Opt In: Enabled

    However, the Settings Catalog configuration fails. We want to replace the script by using a device configuration profile. Is setting this registry key alone sufficient to enable Secure Boot updates, or should the additional settings above also be applied?

  • TastyPastry's avatar
    TastyPastry
    Copper Contributor
    Dec 10, 2025

    Is there any sort of reporting that we could use to better monitor where the certificates have not yet been updated?

  • RickNordmeyer's avatar
    RickNordmeyer
    Occasional Reader
    Dec 10, 2025

    Will this update to Secure Boot cert trigger a BitLocker recovery event?  Is it recommended to suspend BDE prior to updating the cert?

    • RandomWorkstationAdmin's avatar
      RandomWorkstationAdmin
      Copper Contributor
      Dec 10, 2025

      Looks like it can be found in the "System" event log, checking either Event ID 1801 or 1808. It would be nice if there was an easier way to see this information and report on it...

  • jalcorta's avatar
    jalcorta
    Occasional Reader
    Dec 10, 2025

    What about VMware VMs that are secure-boot enabled? When I talked to Broadcom they said there is nothing to do just update the hardware BIOS. (Dell PowerEdge) ... is this correct?

  • Gary19's avatar
    Gary19
    Occasional Reader
    Dec 10, 2025

    What's the difference between using the 0x5944 registry value for AvailableUpdates and using the high confident opt in?

  • Jim Hamby's avatar
    Jim Hamby
    Copper Contributor
    Dec 10, 2025

    My HP EliteBook 845 G8 shows that the Windows UEFI CA 2023 certificate has been updated "automagically," but not the other three.

    Should I expect that situation to resolve itself, or is additional action required?

    If the device were to remain in this state (only the Windows UEFI CA 2023 updated/activated) will Windows & Secure Boot still function and update properly?

  • ChrisSchoening's avatar
    ChrisSchoening
    Occasional Reader
    Dec 10, 2025

    Will any type of reporting via CM or Intune be created for large enterprises to track progress and compliance?