Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast

Get started with these helpful resources

Pearl-Angeles
Updated Apr 15, 2026
AMA

197 Comments

Show More
  • Ayrton's avatar
    Ayrton
    Copper Contributor
    Apr 23, 2026

    Are there any updates regarding ESXi VMs failing to install the KEK certificate? From research Broadcom and Microsoft were looking into this

  • Sanjay O P's avatar
    Sanjay O P
    Copper Contributor
    Apr 23, 2026

    Would there be any changes required in the WDAC policies since we have policy updated with anything to be allowed signed by the cert Microsoft Windows Production PCA 2011. So when this is going to be replaced with new PCA 2023 cert, should we update our WDAC policy with the new cert?

  • stela's avatar
    stela
    Copper Contributor
    Apr 23, 2026

    If the devices don't have updated certificates after June 2026, will there be need to disable secure boot, so they to be able to boot?

     

    • SuperIT's avatar
      SuperIT
      Copper Contributor
      Apr 23, 2026

      stela​ They stated, you will be fine and the devices will boot nonetheless (even with SecureBoot enabled) [~22:17min,  Arden White]

  • rcallaghan's avatar
    rcallaghan
    Copper Contributor
    Apr 23, 2026

    Our devices are shipped with OEM Windows Pro and are later upgraded to Windows Enterprise via Intune policy. On a large subset of these devices, the Intune configuration profile used to opt devices into Microsoft‑managed Secure Boot certificate updates is failing with Intune error 65000, and corresponding event logs indicate the policy is being rejected by licensing rather than by Secure Boot or firmware state.

    My question is:

    • Is this a known and acknowledged issue when Secure Boot certificate updates are applied to devices that have undergone OEM Pro → Enterprise conversion via Intune? and what what is the workaround?
    • HeyHey16K's avatar
      HeyHey16K
      Steel Contributor
      Apr 28, 2026

      Do you use Hotpatching? We still get error 65000 on those Intune policy settings too. Rumours are it's because of Hotpatch. We've resorted to using Group policy instead.

    • eddardstark's avatar
      eddardstark
      Copper Contributor
      Apr 23, 2026

      I am currently experiencing this issue as well and working with Microsoft through an open support case.

  • Amanda_A's avatar
    Amanda_A
    Copper Contributor
    Apr 23, 2026

    To kick off Secure Boot cert updates, do we have to set the registry value (or Intune policy that sets it)?

  • Brian Smith's avatar
    Brian Smith
    Occasional Reader
    Apr 23, 2026

    If the Boot Cert is not updated, and an attempt to install a CU that contains updates to the Secure Boot - will the entire CU KB fail to install?

     

    • mihi's avatar
      mihi
      Brass Contributor
      Apr 23, 2026

      No.

      • Updates to DBX will be applied after the reboot by the scheduled task anyway.
      • CUs will continue to ship two boot managers, one for 2011 cert and one for 2023 cert. The update will install the 2011 boot manager (without the new fixes) if the 2023 cert is not present.
  • Simonb1's avatar
    Simonb1
    Icon for Microsoft rankMicrosoft
    Apr 23, 2026

    Any particular attention point or difference on the process for Azure Confidential Compute virtual machines?

  • CrisLugoB's avatar
    CrisLugoB
    Copper Contributor
    Apr 23, 2026

    Is there an Official Rollback option incase of any booting issues after updating?

  • Novis1380's avatar
    Novis1380
    Copper Contributor
    Apr 23, 2026

    In order to do the secure boot certificates updates, do I need to follow the vendor's steps on updating secure boot certificate? For example, dell has a website that states pre-requisites that it need tpm 2.0 and windows server 2022 or later then able to update the secure boot certificate. Is it necessary to follow or I can proceed to update the secure boot certificate via registry keys or the playbook that you provided?

      • Novis1380's avatar
        Novis1380
        Copper Contributor
        Apr 23, 2026

        In response to the answer, this is the website url: https://www.dell.com/support/kbdoc/en-us/000402373/poweredge-server-bios-update-guidelines-for-microsoft-secure-boot-certificates

        Is there a tool that can help us to check whether the server is ready for secure boot certificate update also perform the update for us?

         

  • SuperIT's avatar
    SuperIT
    Copper Contributor
    Apr 23, 2026

    Will the clients still boot after June if no steps are taken?