Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Jan 29, 2026
AMA

327 Comments

Show More
  • lord_eddard_stark's avatar
    lord_eddard_stark
    Copper Contributor
    Feb 05, 2026

    Is it accurate to say that CFR is generally enabled for devices managed by Windows Update for Business, but not for devices managed by WSUS?

    I don’t think I fully grasp the distinction between LCU vs. CFR in the context of delivering the Secure Boot update. Is there a Microsoft blog post or documentation that explains how these mechanisms differ and how the Secure Boot update is actually rolled out?

  • Peter_Linder2015's avatar
    Peter_Linder2015
    Occasional Reader
    Feb 05, 2026

    Why was the Secure Boot certificate validity set to about 15 years? Why not 30 years? Why not 10 years? Will Secure Boot certificate updates happen every 15 years in the future?

  • saranrajappa's avatar
    saranrajappa
    Copper Contributor
    Feb 05, 2026

    1. When we set the CSP as

    (a) HighConfidenceOptOut = Disable

    (b) MicrosoftUpdateManagedOptin = Enable

    (c) AvailableUpdates = Enable, When the

    certificate deployment starts? provided device has latest firmware and patch (meeting requirement for secure boot)?

  • knmcelhaney's avatar
    knmcelhaney
    Copper Contributor
    Feb 05, 2026

    Am I correct in assuming that the default db will only be updated by an OEM's BIOS update? In other words, Microsoft updates would only update the Active db, and never the default. Follow up question: What is the risk of not updating the default db when the active db is up to date?

  • Darbo1982's avatar
    Darbo1982
    Occasional Reader
    Feb 05, 2026

    Aside from creating the intune configuration, is there a way to report success or readiness

  • sarahstarIT's avatar
    sarahstarIT
    Occasional Reader
    Feb 05, 2026

    so if you are saying that you are looking after the consumer updates so they dont need to worry about the cert? why as organization with 6k machines I need to do anything ? thanks  

    So the cert is already on OS this is a plan to make sure that it will be deployed properly to the bios? 

    • mihi's avatar
      mihi
      Copper Contributor
      Feb 05, 2026

      Organizations tend to block telemetry, that's why Microsoft cannot look after them :)

      All of this is updating your UEFI firmware (which nowadays usually does not contain a BIOS any more) to have the latest certs, and to switch your installed system to actually use them.

  • Id_Jamie's avatar
    Id_Jamie
    Copper Contributor
    Feb 05, 2026

    have we got event id' to validate if all the default certs have been updated and not just current.

  • xrpfan1337's avatar
    xrpfan1337
    Copper Contributor
    Feb 05, 2026

    What is Microsoft's recommendation for managing firmware on Surface devices for customers using WUfB?

    Assuming from an effort perspective that Enabling Driver Update policies is better than custom SCCM deployments.

  • jeddunn's avatar
    jeddunn
    Copper Contributor
    Feb 05, 2026

    Can you clarify what needs to be done to a MECM environment to prepare for this?

  • Joerg1's avatar
    Joerg1
    Occasional Reader
    Feb 05, 2026

    can you give instruction on the boot medium, that boot with 2011 keys and can upgrade the new boot manager in the case that windows does not start anymore, because the new keys in db are reset to 2011?