Event details
197 Comments
Hello, can we use this 3 instructions to force the Windows Servers to update the CA2023 certificate?
- reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
- Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
- And restart the server two times.
If
- The server patch level is at least mid 2025
- The machine has UEFI Secure Boot enabled
- There are no known blocks for the hardware configuration
These three instructions will update to CA2023 certificates. Make sure to wait at least 5 minutes before each restart so that all the actions to be performed have been finished.
How do i update the certificates on Windows Insider Beta
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Please talk about the default versus the active database. Specifically, what are the pitfalls in continuing to use a system that has the active database updated but does not have an available OEM update for the default database.
The risk is in somebody resetting Secure Boot to defaults in the UEFI setup and having a device that does not boot or may go through BitLocker recovery.
As mentioned in the video, a countermeasure may be to set a Setup passsword for the UEFI setup so that end-users cannot mess with their settings.
Is it true, once the expiration date has passed, there will be no way to update the certificates after the fact? No tool or utility for client end (I've heard MFGs are making Server hardware tools possible)?
No, this is not true. Certificate updates that have already been signed before expiration (which includes all the updates this whole topic is about) can still be applied after the expiration date. Only new boot managers or new KEK/DBX updates can no longer be signed by Microsoft (by the old certs) once the expiration date passed.
Is there an intune export that can tell me which of my global devices are on the new certs or the old ones? I don't overly care which devices are high confidence, I care more about which ones are already done and which ones aren't?
Yes, there is one available within Reports> Windows Quality Updates> Secure Boot Status
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/SecureBootReport.ReactView
How Hyper-V env will work ? All Virtual Machines will be ok, if a hyper-v host will have new certifiacates?
Prabhakar_MSFTMicrosoft
Hi Marcin_Kolodziejczak, Hyper-V host updates does not change the existing VMs that did not already have the new certificates. All new Hyper-V VMs created have the new certificates pre-installed. If you have long running VMs, certificates need to be deployed. Microsoft will be updating the VM devices as part of high confidence based roll out in the future update. You can also apply the certificates to firmware by configuring AvailableUpdates registry value to 0x5944 after updating VM device to latest available windows patches.
Thank You for your answer !
Which OS flavours does this apply to ??
- Prabhakar_MSFT
Hi @Sanjeev0112 The certificates apply to all Secure Boot enabled devices including Windows server 2012 and up
- Heather_Poulsen
Community Manager
Welcome to today's Secure Boot AMA! We'll start with the questions posted in advance below, but keep them coming and we'll do our best to help.
Hi
question:
Lets say I will update our cert via Intune or Registry keys. What will happen if I will have to reset UEFI for some reasons?
Will the new cert stay or I will have to install them again?Can you confirm please, is event ID 1808 absolute confirmation that the certs are all in place and there's nothing left to do. Thanks.
- Mabel_Gomes
Yes, correct. Event ID:1808 confirms that the device has the required new Secure Boot certificates applied to the device’s firmware and there is no other action required in this certificate update process.
I can say Event ID 1808 is not absolute confirmation. I have seen systems have the cert and not have that EventID
- Mabel_Gomes
Event ID 1808 used to be logged on every startup. As a result, if Boot Manager or certificates were updated after the device had already booted, Event ID 1808 would not appear until the next restart.
Starting with the April 2026 Windows security update, this behavior has changed. Event ID 1808 is now logged a soon as the update is applied.
