Event details
When in June 2026 do the old certificates expire, and if the new certificates are not in place at that time, will the devices remain manageable through SCCM and Intune?
Will we still be able to deploy packages and task sequences?
Could you also provide the tool or procedure that will help us manually update the certificates on the devices?
Finally, what will be the impact if we switch the SCCM boot.wim to use the new certificates while not all devices have received them yet?
- Yes. Everything will continue to work as it is now, except that you won't receive the latest boot components in upcoming Windows updates, booting from newer external media (or via network) created after the certificates expired (or before but with new certificates in boot.wim) may fail, and the blocklist used to prevent booting older bootloaders or bootkits is no longer updated.
- I guess that is a yes too (I don't know of what kind of packages you talk, but I cannot think of any sense of that word that would touch the boot process in any way)
- It's all in the FAQ. When you have a booting system, set the AvailableUpdates registry key and run the scheduled task. If not, get securebootrecovery.efi from a working machine, copy it to a USB key and boot from it, which should be enough to help get the system installed from any install media, then proceed with the booting system.
- When you try to reimage a system by booting via network or from media, the system that does the reimaging will not boot if Secure Boot is enabled and the boot.wim on the media or the PXE server contains the new certificate. Boot once from securebootrecovery.efi and then it will work again. [On an incompatible device where certificates cannot be installed, securebootrecovery.efi will not work either. In that case, you would have to boot from different media or do the install with disabled Secure Boot, then switch the bootloader to the old one, and enable Secure Boot again.
