Event details

Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. We recently published the first version of the Secure Boot playbook, outlining the tools and steps you can take today to proactively plan and prepare for this milestone. Join this AMA with your questions about update scenarios, inventorying your estate, and formulating the right deployment plan for your organization.

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.

Get started with these helpful resources

Heather_Poulsen
Updated Dec 09, 2025
AMA

114 Comments

Show More
  • Simone_Termine's avatar
    Simone_Termine
    Brass Contributor
    Dec 10, 2025

    For anyone who's asking: event 1799 (TPM-WMI) tells you "Boot Manager signed with Windows UEFI CA 2023 has been installed".

  • stephc_msft's avatar
    stephc_msft
    Icon for Microsoft rankMicrosoft
    Dec 10, 2025

    One of the biggest 'grey areas' is how to handle EXISTING  aka long running gen2 Hyper-V VM's.
    There are many reports that updating the OS inside the VM  cant do the uefi related aspect 
    (sorry dont have the details to hand)
    ANd is that important 

    Fresh VM's created on an updated HV host will be ok and will have the correct firmware.


    Ditto about updating uefi boot VM's on other virtualization plaforms  (if using secure boot for the VM)
    eg in VMWare

    • mikehartstein's avatar
      mikehartstein
      Copper Contributor
      Dec 10, 2025

      Yes, that has been our experience as well. Hyper-V VMs created before a certain date will not take the 2023 KEK cert (the Windows UEFI CA 2023 cert gets added fine, and the boot manager replaced with the 2023-signed one). It would be nice to know that this will be fixed soon.

  • AlexHellen's avatar
    AlexHellen
    Occasional Reader
    Dec 10, 2025

    If a Device is new i.e a Surface Pro 10. should we expect it has a certificate then no need to update? what value should we except?

     

    if availableupdates is set to 0x0

    UEFICA2023Status - notstarted 

  • David_Swenson's avatar
    David_Swenson
    Iron Contributor
    Dec 10, 2025

    I deployed the new Settings Catalog options via Intune as described here. The deployment failed with no conflicts just error devices in Intune. 

    Build 26200.7296

    1. Configure High Confidence Opt Out
      1. State = Disabled, Result = ✅ Succeeded
    2. Configure Microsoft Update Managed Opt In
      1. State = Enabled, Result = ❌ Failed
    3. Enable Secureboot Certificate Updates
      1. State = Enabled, Result = ❌ Failed
      • OvativeFye's avatar
        OvativeFye
        Copper Contributor
        Dec 10, 2025

        Hey David, chiming in here as I had the same issue. Pretty sure those two settings for Opt in and Enable the certs is broken, see here for workarounds: https://evil365.com/intune/SecureBoot-Cert-Expiration/#option-3---self-managed-rollout-using-intune-policies

        I personally used a detection/remediation script to do this.

  • JW100's avatar
    JW100
    Copper Contributor
    Dec 10, 2025

    Hi,

    My registry keys show the following values:

    UEFI2023Status = Not started

    WindowsUEFICA2023Capable = 0

    Endpoints are managed via MECM and built via PXE boot. How do I ensure that PXE boot is utilising the newer cert?

    Please can you indicate a generalised approach for me to investigate?

     

    Many Thanks,

    • HeyHey16K's avatar
      HeyHey16K
      Iron Contributor
      Dec 11, 2025

      We have this too! I know the MS team said in the webinar they will come back on this point, I hope they do as the NotStarted status doesn't seem to be covered anywhere... Ours are managed by Intune (inc. Windows Updates) and built by Autopilot

       

       

  • HigherEdArchitect's avatar
    HigherEdArchitect
    Copper Contributor
    Dec 10, 2025

    With the new Windows events being generated, for Windows Server SKUs (primarily VMs) without Secure Boot enabled, why are Microsoft-Windows-TPM-WMI events - specifically event 1801 - being generated?  The device with secure boot disabled at the hyper visor layer doesn't update nor meet the requirements.

  • Pprasadjjoshi's avatar
    Pprasadjjoshi
    Occasional Reader
    Dec 10, 2025

    We successfully deployed the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\MicrosoftUpdateManagedOptIn (DWORD value 0x5944) via Proactive Remediation and tested applying it through Intune Settings Catalog with the following settings:

    • Enable Secure Boot Certificate Updates: Enabled
    • Configure High Confidence Opt Out: Disabled
    • Configure Microsoft Update Managed Opt In: Enabled

    However, the Settings Catalog configuration fails. We want to replace the script by using a device configuration profile. Is setting this registry key alone sufficient to enable Secure Boot updates, or should the additional settings above also be applied?

  • TastyPastry's avatar
    TastyPastry
    Copper Contributor
    Dec 10, 2025

    Is there any sort of reporting that we could use to better monitor where the certificates have not yet been updated?

  • RickNordmeyer's avatar
    RickNordmeyer
    Occasional Reader
    Dec 10, 2025

    Will this update to Secure Boot cert trigger a BitLocker recovery event?  Is it recommended to suspend BDE prior to updating the cert?