Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, o...
Heather_Poulsen
Updated Dec 09, 2025
AMA
prabhv1982's avatar
prabhv1982
Icon for Microsoft rankMicrosoft
Dec 10, 2025

  1.  These certificates allow Microsoft to apply security updates to Secure Boot and boot manager components. These certificates allow Microsoft to apply security updates to Secure Boot and boot manager components. If the new certificates are not in place, this will no longer be possible. We are finalizing the defined behavior and will share full details before the change takes effect

  2. Yes. System will continue to boot existing boot media including network boot after the certificates are updated by applying 0x5944 registry key.  If Secure Boot revocations are applied to firmware to revoke older versions of boot manager, it will require updating all boot sources to new Boot manager.
  3. Yes. If boot media such as WinPE or USB is updated with the new Boot Manager, the device can only boot from this updated media if the new certificates are already applied to device firmware.
EWoo's avatar
EWoo
Copper Contributor
Dec 10, 2025

Does applying the 0x5944 registry key apply the Secure Boot revocations or does this only apply the new cert, but leaves the old cert in place?

And is Microsoft planning on revoking the old cert at some point in the future?

  • rparmar50's avatar
    rparmar50
    Icon for Microsoft rankMicrosoft
    Dec 10, 2025

    0x5944 will only add new certs without revoking any existing old certs.