Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, o...
Heather_Poulsen
Updated Dec 09, 2025
AMA
Alun's avatar
Alun
Occasional Reader
Dec 09, 2025

Just 3 questions:

  • Will we need to update the WinPE build media and Windows Install Source Images if the device has the new certs installed (or the old have expired)?
  • Will the Windows Install process update the Certs if the Windows Install source media has been updated and the device has not?
  • Will any future cumulative patches that require new certs for a security vuln patch also force the upgrade of the cert if the device has yet to be updated?
prabhv1982's avatar
prabhv1982
Icon for Microsoft rankMicrosoft
Dec 09, 2025
  1. If Boot Manager revocations are not deployed, existing boot media will continue to boot even after the certificate expires and/or new certificates are deployed to firmware.   If revocations are deployed, all bootable media must be updated to include the new Boot Manager to ensure continued boot functionality. 
    Guidance on deploying Boot Manager revocations is available here:
    How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support.

  2. Devices that do not have the required certificates will not receive proactive certificate updates from the Windows installer.

    • If you attempt to boot from media that uses a Boot Manager signed with the new certificate, the device will fail to boot unless the updated certificates are already present.
    • For in-place upgrades, the boot service installer will not update the Boot Manager to avoid a no-boot scenario.
  3. Cumulative updates include High confidence data list that includes device classes deemed safe for deployment.  This data will be updated refreshed regularly as part of cumulative updates.
    • The latest high-confidence list is located at: %systemroot%\System32\SecureBootUpdates\BucketConfidenceData.cab
    • If your device’s BucketID is included, the update will be applied automatically if certificates are not already present.
    • You can find the BucketID in Secure Boot events.   Refer to https://aka.ms/getsecureboot ->Guidance for IT professionals and organizations -> Monitoring Event Logs section for details on Secure boot certificate related events
    • Future cumulative updates will apply these changes automatically for devices identified by Microsoft as ready, based on a high-confidence list.