Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
Novis1380's avatar
Novis1380
Copper Contributor
Apr 23, 2026

In order to do the secure boot certificates updates, do I need to follow the vendor's steps on updating secure boot certificate? For example, dell has a website that states pre-requisites that it need tpm 2.0 and windows server 2022 or later then able to update the secure boot certificate. Is it necessary to follow or I can proceed to update the secure boot certificate via registry keys or the playbook that you provided?

mihi's avatar
mihi
Brass Contributor
Apr 23, 2026

Answered at 34:00

  • Novis1380's avatar
    Novis1380
    Copper Contributor
    Apr 23, 2026

    In response to the answer, this is the website url: https://www.dell.com/support/kbdoc/en-us/000402373/poweredge-server-bios-update-guidelines-for-microsoft-secure-boot-certificates

    Is there a tool that can help us to check whether the server is ready for secure boot certificate update also perform the update for us?

     

    • mihi's avatar
      mihi
      Brass Contributor
      Apr 24, 2026

      Oh my...

      That PowerShell script does nothing more than update the DB and KEK certificates via the unsupported way via PowerShell (that's why they require BitLocker to be disabled). It also seems that the included "Cerifcates" (sic!) are also included in Microsoft's SecureBootObjects KEK list, so from an outsider's perspective there should be absolutely no reason at all to prefer this script to the official registry method. In case the official method runs into any errors, you could try that script, of course, if you trust your vendor's skill of writing PowerShell scripts (since it has been provided by your vendor)