Thank you everyone for your participation in today's AMA! Below is a list of the questions the panelists answered live, along with links to the original question (if listed below) and associated timestamps: 

Question – We have diagnostic data turned on in our Intune environment, but I'm not seeing the registry key "MicrosoftUpdateManagedOptIn". Should I be worried about this? If this key does not exist, MS will not push the certificates down, correct? – answered at 1:31.

Question – If we apply the 0x5944 registry value on updateable systems, are we still able to network boot them with our existing WinPE to image them with SCCM? – answered at 4:28.

Question – When you say "future security updates cannot be applied," do you mean monthly cumulative updates will fail to install entirely, or will just the potentially bundled updates to Secure Boot / Boot Manager be skipped? – answered at 6:01.

Question – Will the Windows Install process update the Certs if the Windows Install source media has been updated and the device has not? – answered at 7:42.

Question – Is it true that Hyper-V Gen 1 VMs are not affected by this issue? – answered at 10:10.

Question – What is the easiest way to tell if our devices will need to be updated? – answered at 11:10.

Question – Does this have any relation with Defender ASR rule 'Block rebooting machine in Safe Mode'? – answered at 12:50.

Question – Am I right to say if the "HighConfidenceOptOut" registry key does not exist, this means we have opted in? – answered at 13:31.

Question – If we miss the June 2026 deadline, how would we go about bringing a device back to a compliant state? – answered at 18:16.

Question – We have 70k Win11 23H2 devices patched using Autopatch every month. All managed by Intune. Is the right behavior to simply put the registry down to the device and they will update certs via the schedule task on the box and then we are fine? We don’t have to think of it anymore? – answered at 20:26.

Question – Towards the bottom of the guidance at aka.ms/GetSecureBoot, it states that the WindowsUEFICA2023Capable is not recommended for general use. However, can it be used to query devices in my environment to get an accurate picture of how many devices have the certificate in the DB already? – answered at 25:36.

Question – How about Azure VMs? Do we have to take action on them as well? – answered at 27:06.

Question – You mentioned “assists” – how do we access those? Are they a service we need to sign up for? – answered at 29:14.

• To stay up to date on additional help mechanisms, go to https://aka.ms/GetSecureBoot

Question – Does the rollout from MSFT include adding the old cert to the Exclusion DB (dbX)? – answered at 31:27.

Question – When I look at my environment, even brand-new devices are showing that registry the UEFICA2023Status regkey is NotStarted. Even on brand new devices we've deployed. Does NotStarted also mean the device may not need it? Or was i querying the wrong registry key? – answered at 34:45.  

Question – When will the certificates come down with Windows Updates? Is there an expected month they will be delivered? – answered at 36:00.

Question – Question about Autopatch: if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed? Or do we need a settings catalog policy as well? – answered at 39:39.

Question – How will the WinPE boot image (from the ADK) be affected by these changes? If it will be updated, will it continue to work on systems that have not yet installed the updated certificates? – answered at 42:25.

Question – How are you working with OEMs to ensure that they are updating their firmware in advance? – answered at 44:37.

Question – If the key "WindowsUEFICA2023Capable" is set to 1 instead of 2, this means the device is still not in a "secure state". The key needs to be set to 2? – answered at 45:58.

Question – Does applying the 0x5944 registry key apply the Secure Boot revocations or does this only apply the new cert, but leaves the old cert in place? And is Microsoft planning on revoking the old cert at some point in the future? – answered at 47:33.

Question – What about my device at home? Do I need to take steps there as well? – answered at 49:04.