Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, o...
Heather_Poulsen
Updated Dec 09, 2025
AMA
ClientAdmin's avatar
ClientAdmin
Copper Contributor
Dec 10, 2025

- The GPO (ADMX) sets a value of 0x5944. How can we then revoke the 2011 certificates (0x80)?
- Are there any details about SVN (0x200)? What is the exact mechanism?
- Will Bitpixie and BlackLotus be mitigated with just 0x5944?
- Is SecureBootRecovery.efi application set after bootmgfw.efi if the new certificates 2023 aren't in the defaultDB?
- Can we use SecureBootRecovery.efi for warehoused devices as a PXE boot file?
- What happens on devices without Secure Boot enabled now? Will they get the Boot Manager signed with 2023 installed automatically? What happens if we enable Secure Boot at a later point as AvailableUpdates only works with Secure Boot enabled?