Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
MikePoole1's avatar
MikePoole1
Copper Contributor
Apr 23, 2026

We have approx. 60k devices, split across Intune and Legacy (Config Manager). A LOT of the older devices are on old BIOS versions - are we ok to deploy the certs using remediation scripts (setting applicableUpdates to 5944 on devices that have Secure Boot). We want to do this so we have control over the rollout. Will the certs remain if we subsequently update the vendor BIOS on these machines ?

mihi's avatar
mihi
Brass Contributor
Apr 23, 2026

Secure Boot state including certificates is not to be touched by firmware updates. So the certificates should remain.

Of course, bugs may require that you manually enter firmware setup and reset settings after a firmware update. In this case, the certificates may be gone if not included in the default DB already.