The tool to assess current state of the machine and the certificates was mentioned during the event.  Where will it be released?

I would like clarification on the process on machines that have no internet access. We have 8 domains that have nothing but Windows 10 and 11 LTSC. 

According to CMPivot in ConfigMgr, we're detecting over 1500 Windows 11 devices without the "UEFICA2023Status" registry key. Why would this be? We had planned on using this in a detection scenario where we could flip the AvailableUpdates key on devices where the "UEFICA2023Status" key was "NotStarted"

We previously had access to the new Intune Secure Boot Certificate Status Report in our tenant, but as of today the report is no longer visible, without any tenant-side changes.

Can Microsoft confirm whether this report has been temporarily rolled back or disabled as part of a service-side change, and whether there is an expected timeline for when it will become available again?

About the Media Update, do we have latest ISO available with 2023 Certificates updates for Server OS like 2016, 2019, 2022 in Volume licensing portal?

Secondary how can I update the Custom build server OS iso image (that we built using WinPE and ADK) if required ?

Concerned about the inconsistent registry values we are seeing. In the Secure Boot Playbook, it mentions that the device should have a key of UEFI2023Status set to Updated if the device has been through the process. We have a high number of machines that don't have this but the value for WindowsUEFICA2023Capable is set to 2. 

Thank you everyone for your participation in this Secure Boot AMA! Below are the questions the panelists answered live, along with associated timestamps: 

Question – What happens to devices after a certificate expires? – answered at 1:14.

Question – I understand these devices will continue to boot after June 2026 even with Secure Boot active. However, what happens if there are changes e.g. to bootmgfw.efi or the underlying hardware? What would be the impact? Can we let such a device live until HW dies to avoid replacement still good working HW? – answered at 2:18.

Question – If a firmware update for an older machine is released after June 2026, will it be possible to install/deploy the new certificates manually at that point? – answered at 3:53.

Question – Can you provide clarification on this? Does Microsoft currently deploy the Secure Boot 2023 certificates using a hybrid rollout model (telemetry-based CFR combined with optional policy-based control)? – answered at 5:08.

Question – At what point will policybased opt in become the primary or required mechanism for IT managed devices? – answered at 6:37.

Question – Could you talk about the device's local Secure Boot enforcement mode (Strict, Standard, Audit etc.) please? Someone in our team mentioned it today - that if devices are in Strict mode they won't boot without the new certificate? I've not seen this mentioned in the MS docs I've read. – answered at 9:10.

Question – We've been seeing devices that appear to be eligible for the automatic Secure Boot cert updates based on the documentation available via MS but don't seem to progress. Can you confirm the minimum “eligibility checklist” for the automatic Secure Boot certificate update (OS baseline, update level, UEFI + Secure Boot, diagnostic data level, etc.), and which items are hard blockers vs “recommended”? Once a device is eligible, what is the typical timeline (hours, days, weeks) to observe progress? – answered at 13:46.

Question – Can you elaborate on the differences between the active db and the default db? This seems to be a common point of confusion.  – answered at 15:44.

Question – If diagnostic data/telemetry is disabled, what specifically stops working? Does it prevent Microsoft from delivering the secure boot update altogether, or does it mainly impact reporting and insights? – answered at 17:19.

Question – what is the process to update devices with currently safeboot disabled.? – answered at 19:09.

Question – We have several physical HyperV host servers where Secure Boot is currently disabled at the Windows hypervisor level, while the guest virtual machines have Secure Boot enabled. Please confirm whether it is still necessary to update the compatible firmware on these HyperV host servers.  – answered at 21:32.

Question – Is there (or will there be) a tool or series of PowerShell commands that can be used to assess the current status of the computer and 2023 Certificate?  – answered at 22:46.

Question – Can we proceed with the firmware upgrades on the physical HyperV servers with OEM Support before Microsoft releases the fix of event ID 1795 (write protected) on March 10th? – answered at 23:48.

Question – Are there other mitigations we can take in our environment to ensure devices that cannot get the certificate are less vulnerable? – answered at 24:38.

Question – You mentioned that as long as a device doesn’t log a specific Event ID indicating it’s blocked from receiving the Secure Boot update, the update will be delivered in the coming months. Which Event ID are you referring to 1801? – answered at 26:12.

Question – I thought I heard someone say that Server OS shouldn't be expected to receive updates via CFR. Did I hear that correctly? If yes, can you elaborate?  – answered at 27:22.

Question – When stating "Microsoft will push the new certificates through Windows Update", what does that mean specifically in the secure boot pipeline? You are pushing 2023 into the DB? You are signing the Boot Manager in the EFI partition with the 2023 certificate? you are pushing 2011 into the DBX? What happens when a machine is reimaged with a factory or custom image?   – answered at 29:34.

Question – Will Microsoft force the revocation of the 2011 certs at some point? – answered at 35:34.

Question – What’s the best approach to use for dual-boot devices? Either 2 Windows instances or a Linux and Windows setup? – answered at 36:51.

Question – Is there a plan for Microsoft or OEM to only ship hardware with new 2023 certs? Assuming that when option ROM expire it will not be possible to certify new devices after this date? I.e. Dell release new laptop model in Jan 2027 will only ship with 2023 certs?  Does this mean not compatible with old 2011 bootloaders (Operating Systems) – answered at 40:04.

Question – What is happening with consumer hardware? For example, someone’s Grandma who doesn’t know what Secure Boot is but has a 5-year-old Windows 11 laptop? – answered at 41:06.

Question – Is the presence of event ID 1808 sufficient to validate the successful Secure Boot certificate renewal or should we additionally verify the certificate expiry details? – answered at 41:39.

Question – If we don’t use Intune, what does Microsoft suggest as the most reliable method? – answered at 42:14.

Question – Can you please further document actions to undertake when a system doesn't boot after enabling secure boot from the BIOS, like precising all the mandatory settings to implement for it to work and possibly bringing the host back to a secure baseline which allows it to boot with the setting enabled, this aspect isn't documented properly and or I'm missing where to look at. – answered at 44:22.

Question – For the third-party antivirus it will have any affect if the certificate doesn't update? – answered at 43:39.

Question – I'm doing test in my lab, and i have successfully completed the update of the Secure boot via RegKey, but i have noticed that the boot loader is updated with the new certificate that will expire to May 2026, this will be update automatically during the normal patching process? – answered at 46:08.

Question – Am I correct in assuming that the default db will only be updated by an OEM's BIOS update? In other words, Microsoft updates would only update the Active db, and never the default. Follow up question: What is the risk of not updating the default db when the active db is up to date?  – answered at 48:01.

Question – Is my understanding correct? If you have a common Dell, Lenovo, Surface device you 'should' be fine just to make sure the UEFI / BIOS is up to date, and then leave it for Microsoft to update the certificate on the client via CFR?  If you have some wacky bit of hardware, like custom built gaming pc, odd meetingroom system, then you might need to manually add the reg key manually to tag it as a known good system? – answered at 49:37.

Question – The newest ADMX/ADML template files contain settings to control the Secure Boot cert push/etc. is this actually needed? – answered at 52:18.

Question – When will Windows 365 gallery images contain the new secure boot certificates? – answered at 53:39.

Question – For manually installing the Secure Boot certificate update, is updating the BIOS the only way to do it? If I’m remembering correctly, the Microsoft-provided steps mainly prepare the device to receive the update from Microsoft, but don’t actually provide a way to manually install it. Can you confirm? – answered at 54:10.

Hi, Most of this information seems to pertain to clients.  I have a question about servers.  HPE released an article, https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00156355en_us&hprpt_id=ALERT_HPE_3088457 that says "To enable the Windows UEFI CA 2023 certificate, install the latest BIOS version on each platform. Reset "All Keys to Platform Defaults" is required to activate the Windows UEFI CA 2023 certificate after latest BIOS is installed."

Why is the last step necessary?  What if it's not done?  Why isn't it necessary on clients to do this?  Just wondering because it is a very manual disruptive process that will take quite some time.  Thank you in advance.

Thanks to all participants of yesterday's panel for the explanations.
There were a lot of questions regarding the tools and possible scenarios.
For a better understanding, I/we are however still missing what is REALLY going on with the certificate updates

As said in the video, whatever tool used for the update of the 2023's certificates, it is pointing to same registry keys. From my understanding, those keys are defining the status of the update.
Scott clearly mentioned in the video that the OS can only modify the "active" certificates, while the "default" certificates in the firmware can only be updated by a firmware update provided by the mainboard's manufacturer. During the update from Windows,
What is exactly done on the EFI partition on the hard drive? Which files get modified?
What is written to the UEFI firmware ? Should be the KEK and DB, but what if the firmware is partially "readonly" (e.g. not allowing KEK update)  ?

Maybe, Scott Shell, could you elaborate a bit? Or better, link an article with the deeper technical details? Most of the technical details are already in the playbook and https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f but without the deeper detail on the EFI.

Above all tools, knowing what is modified could help advanced people to troubleshoot.

I am especially thinking of all older PC than can NOT have a firmware update and will face the possible mismatch of "half" update (one side with 2011 certificate, other with 2023). Those were partially mentioned during the video.
I am very aware that most of the discussion is related to professional users with supported computers. And that owner of older unsupported PC "may want to renew their machine".
However, plenty of older PC can still be used for other purpose, either on Win10 ESU, Windows LTSC, Linux or whatever OS. So it would be very helpful to be able to know what is going on before throwing those PC in the garbage.

Eventually, for older unsupported computers with possible certificate mismatches, what about disabling SecureBoot completely? Isn't is a better recommendation? 

If the device with expired secure boot certificate after June 2026, whether if it will affect the device daily operation, like machine bootup & shutdown, software usage? Will the device turned off secure boot be affected?