Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, outlining the tools and steps you can take today to proactively plan and prepare for this milestone. Join this AMA with your questions about update scenarios, inventorying your estate, and formulating the right deployment plan for your organization.

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Heather_Poulsen
Published Nov 25, 2025
AMA

2 Comments

  • justme1's avatar
    justme1
    Occasional Reader
    Dec 02, 2025

    Hello.

    My Dell XPS 13 9360 will not have any BIOS updates that include the new certificates.

    So, I tried to update it with the following commands:

    from Admin CMD Prompt:
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

    from Admin Powershell:
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    This action updated all certificates in the DB except for the KEK CA 2K 2023, which I cannot update.

    In the registry editor, UEFICA2023Status remains indefinitely in "progress" and shows no errors.

    In "availableUpdates" the value is 0x5944.

    Windows UEFICA2023capable shows 0x2.

    I would like to know, since I only need to update the KEK CA 2K 2023 certificate, how I should proceed.

    Thank you!

  • lexcyn's avatar
    lexcyn
    Iron Contributor
    Dec 02, 2025

    Just a couple questions:

    • Is the UEFI update required? If a current Windows install does not receive the UEFI update before the secure boot manager/partition is updated (via Windows Update), will that be enough?
    • What happens if a hardware vendor decides they are not updating the UEFI/firmware? If Microsoft updates the active boot manager, will the system continue to boot?
      • Further to this, let's say you have to re-install Windows - if you are using the latest ISO that contains the updated certificates, will the system allow secure boot to function in this instance?
    • We have a hybrid environment with devices Intune/Entra joined but still on an on-prem domain. We have deployed the Intune CSP for the updates using the 'forced' update method and are seeing success. We are planning to start deploying firmware updates as well, but it may lag behind the Windows Update portion. Will this scenario work?