Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Jan 15, 2026
AMA

3 Comments

  • HeyHey16K's avatar
    HeyHey16K
    Iron Contributor
    Jan 16, 2026

    Hey guys đź‘‹,

    In the last Secure Boot AMA (https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) someone asked about the UEFICA2025Status Reg Key showing an unexpected status of "NotStarted". You responded to say you would investigate and advise what to do in this situation. We have this in our environment. When will we be told what to do please?



    • ChromeShavings's avatar
      ChromeShavings
      Occasional Reader
      Jan 19, 2026

      From my understanding, the AvailableUpdates (0x5944) reg key needs to be applied and then a manual fire-off of the scheduled task needs to happen afterward. Once I did this, in this order, the status of UEFICA2023Status went from “NotStarted” to “InProgress”. It took me about 2-3 reboots for changes to take effect. 

      Questions I hope to have answered are below:

      1. Are all 3 certificates (2 DB and 1 KEK) required to rotate in? How many certificates do we need to check for to meet compliance? Some are checking for just one, some are checking for 3… which is it? 
      2. If one certificate is missing in either the DB or KEK databases, is a firmware upgrade of the BIOS required?
      3. According to the documentation, there is an option for “Controlled Feature Rollout” using Microsoft Update Managed certificates (MicrosoftManagedUpdateOptIn). Not too concerned about the level of telemetry that is pulled; however, just curious if this is something that customers can turn on to quickly retrieve these certs. Or if it’s necessary for future cert rotations.
      4. And! What happens if a computer doesn’t have Secure Boot enabled? Or if Secure Boot is enabled, what happens to that device if not compliant by June of 2026?
  • lalanc01's avatar
    lalanc01
    Iron Contributor
    Jan 16, 2026

    Hi, any news/eta of the reporting capabilities in Intune to see which devices have the new cert?

    thks