Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, outlining the tools and steps you can take today to proactively plan and prepare for this milestone. Join this AMA with your questions about update scenarios, inventorying your estate, and formulating the right deployment plan for your organization.

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Dec 09, 2025
AMA

114 Comments

Show More
    • RandomWorkstationAdmin's avatar
      RandomWorkstationAdmin
      Copper Contributor
      Dec 10, 2025

      Looks like it can be found in the "System" event log, checking either Event ID 1801 or 1808. It would be nice if there was an easier way to see this information and report on it...

  • jalcorta's avatar
    jalcorta
    Occasional Reader
    Dec 10, 2025

    What about VMware VMs that are secure-boot enabled? When I talked to Broadcom they said there is nothing to do just update the hardware BIOS. (Dell PowerEdge) ... is this correct?

  • Gary19's avatar
    Gary19
    Occasional Reader
    Dec 10, 2025

    What's the difference between using the 0x5944 registry value for AvailableUpdates and using the high confident opt in?

  • Jim Hamby's avatar
    Jim Hamby
    Copper Contributor
    Dec 10, 2025

    My HP EliteBook 845 G8 shows that the Windows UEFI CA 2023 certificate has been updated "automagically," but not the other three.

    Should I expect that situation to resolve itself, or is additional action required?

    If the device were to remain in this state (only the Windows UEFI CA 2023 updated/activated) will Windows & Secure Boot still function and update properly?

  • ChrisSchoening's avatar
    ChrisSchoening
    Occasional Reader
    Dec 10, 2025

    Will any type of reporting via CM or Intune be created for large enterprises to track progress and compliance?

  • LakshmanaPrabhu's avatar
    LakshmanaPrabhu
    Copper Contributor
    Dec 10, 2025

    Thank you for setting up this session, As we understand all OEMs are already providing updated certificates on new devices delivered in 2025 and existing certiticates get addressed part of the upcoming windows updates or respective OEMs firmware update.  

    How do we analyze in an enviroment which endpoints need this update and which are already up to date either via Intune other form of reporting , That helps in understanding the current posture and action required 

     

  • RayC15's avatar
    RayC15
    Copper Contributor
    Dec 10, 2025

    For device with require diagnostic and CFR joined, when will it be updated? (On next cumulative update?)

    Is the high confidence bucket list already available? Does it get updated every month? 

  • SebMcCayen_Swe's avatar
    SebMcCayen_Swe
    Occasional Reader
    Dec 10, 2025

    Is it enough to install the Firmware/BIOS provided via the computer manufacturer, example HP, Dell etc? 

    • Kevin_Sullivan_MSFT's avatar
      Kevin_Sullivan_MSFT
      Icon for Microsoft rankMicrosoft
      Dec 10, 2025

      Typically, no. Installing the BIOS update from your OEM gives you the new Secure Boot certificates in the default variables, but that alone doesn’t make them active. Windows takes care of updating the active variables during the update process, which are the ones the system actually uses at startup. So, you will also need to follow the guidance to update the certificates from Windows.

  • AlexHellen's avatar
    AlexHellen
    Occasional Reader
    Dec 10, 2025

    We have tested a scripted method for updating the keys which works but ideally we want to deploy the policy through Intune. The policy we created with the setting

     

    Enable Secureboot Certificate Updates 

     

    (Enabled) Initiates the deployment of new secure boot certificates and related updates.

    But on both 24H2 and 25H2 this seems to do nothing. Will this be usable soon?

  • MadsJohansen's avatar
    MadsJohansen
    Copper Contributor
    Dec 10, 2025

    It looks like the new Intune Settings Catalog policies to manage the rollout of the new secure boot certs is not properly working. When trying to deploy the policy it returns an error code 65000, which is a generic error code that intune usually returns for a variety of reasons, sometimes when a pre-req is not met.

    I've seen this error in multiple tenants and several different customer environments. Is this something that is on your radar?

    This is the policy that I'm testing from Intune: