Event details
197 Comments
When in June 2026 do the old certificates expire, and if the new certificates are not in place at that time, will the devices remain manageable through SCCM and Intune?
Will we still be able to deploy packages and task sequences?
Could you also provide the tool or procedure that will help us manually update the certificates on the devices?
Finally, what will be the impact if we switch the SCCM boot.wim to use the new certificates while not all devices have received them yet?
- Yes. Everything will continue to work as it is now, except that you won't receive the latest boot components in upcoming Windows updates, booting from newer external media (or via network) created after the certificates expired (or before but with new certificates in boot.wim) may fail, and the blocklist used to prevent booting older bootloaders or bootkits is no longer updated.
- I guess that is a yes too (I don't know of what kind of packages you talk, but I cannot think of any sense of that word that would touch the boot process in any way)
- It's all in the FAQ. When you have a booting system, set the AvailableUpdates registry key and run the scheduled task. If not, get securebootrecovery.efi from a working machine, copy it to a USB key and boot from it, which should be enough to help get the system installed from any install media, then proceed with the booting system.
- When you try to reimage a system by booting via network or from media, the system that does the reimaging will not boot if Secure Boot is enabled and the boot.wim on the media or the PXE server contains the new certificate. Boot once from securebootrecovery.efi and then it will work again. [On an incompatible device where certificates cannot be installed, securebootrecovery.efi will not work either. In that case, you would have to boot from different media or do the install with disabled Secure Boot, then switch the bootloader to the old one, and enable Secure Boot again.
Re the rollback comments at 43mins, we have tested two Microsoft Surface Laptop 3s so far. The new Secure Boot certificates have bricked them both (stuck in a loop on the black/white MS logo start-up screen). UEFI is locked down by Intune managed DFCI policy, so we cannot temporarily disable SB to get them to boot. We have 500+ of these in our environment. We have logged a MS support ticket for this issue, but hold no hope as our other SB support ticket for the Intune policy issue, which we logged 6+ weeks ago, hasn't been responded to yet.
Hello.
I have some pcs Windows 11 and some Windows servers that show the CA2023 is "true" with this command (
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
), and show the KEK certificate is "true" with this command (
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023')
), but with this query (certutil -dump PK.der) show 00 that means they don't have the Platform key (PK) certificate present in the VM, in this scenario do I need to update the PK or is enough to have the CA2023 present and the KEK certificate present too in this VMs?
Thanks.
You do not need a PK installed if Secure Boot is working fine without (depending on firmware) and you have all the required KEKs in the KEK store. The PK is only needed to update PK or KEK stores.
Hello.
For Virtual Machines running with Windows Server 2012 R2, 2016, 2019, 2022 with all the Windows updates applied until April 2026, this VMs are in Vmware 8.0.3.0, if the update process for the CA2023 certificate is not executing automatically, do I need to update some kind of Bios in Vmware or in the VM itself to get enough confidence and get the updates of CA2023 run automatically? Or if I force the process with the key in registry, schedule the update and restart several times the server, do I need some kind of update in Vmware or in the VM itself?
Thanks.
Yesterday I had a test in a similar scenario. Windows 2025 fully up to date and VMware 8.0.2.
Setting the AvailableUpdates registry value to 0x5944 and running manually the Secure-Boot-Update scheduled task, after two run and two reboots I could see the DB updated with the new 2023 certificates. After these reboots I had AvailableUpdates=0x4004 and running the scheduled task again and rebooting the VM again did not change it anymore, the KEK could not be updated (I can see only event id 1801 in the registry, no other errors).
So I guess that if the VM finds the PK null, as is common in VMware environments today, the automatic process could not be completed (https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html). PK and KEK must be updated manually as described in the Broadcom KB https://knowledge.broadcom.com/external/article/423919. Only after PK and KEK are up to date the automatic process can be completed and DB and Bootloader can be updated by the Microsoft scheduled task.
Prabhakar_MSFTMicrosoft
Hello iokdeda We are coordinating with Broadcom to introduce support in Windows for updating the PK if the Windows OEM Devices PK is missing on Secure Boot- and vTPM-enabled vSphere VMs, thereby facilitating KEK updates.
For VMs created on ESX 9.x hosts, the Windows OEM Devices PK is already present. However, for VMs created on earlier ESX versions, this PK is missing. We are actively working with Broadcom on a solution, which will be enabled through future Windows updates and corresponding Broadcom patches.
Hello. I've go a query re: Hotpatch and Secure Boot certificate updates. At around 17 minutes in the AMA it's mentioned that Secureboot certs are not applied with Hotpatch updates. We were informed several weeks ago that the default Autopatch configuration for Intune managed devices is being changed this month, so that Hotpatch is turned on by default. Does this mean that for those devices, they will not apply Secureboot certs to UEFI firmware until another baseline is released a few months down the line? If so, then that would seem like really bad timing and would potentially change our approach to allowing Hotpatch to be turned on by default. Will we be forced to apply them via CFR if so? Can you clarify please, thanks.
Hi Jamie,
We were hoping to use Intune to manage our SB certs deployment and we use Hotpatch. When we configured the Intune SB policy settings we kept getting the infamous 65000 error on all devices:Originally this error was attributed to a Windows licensing issue, which Microsoft advised has now been resolved, but we're still seeing the above.
Not seen anything confirmed yet by Microsoft, but there are rumours going around from strong sources (e.g. Rudy Ooms) about Hotpatch being the root cause. We logged a support ticket to MS for help 6+ weeks ago but not had any response on it.
So we resorted to using Group Policy to deploy the above settings, which has worked well in our testing so far. Others have resorted to using Intune Remediations to overcome the Intune policy issue.It is already possible to deploy the latest Bucket confidence data to a machine without having to install the update it came with (avoiding the reboot). This is commonly used to use the Bucket confidence data shipped with a monthly non-security update without applying the rest of the changes.
https://support.microsoft.com/en-us/topic/a-closer-look-at-the-high-confidence-database-32382469-4505-4ed4-915b-982eff09b5d2#bkmk_deploying_to_other_versions
This will not include fixes of the servicing components (like the one shipped in April that addressed some Bitlocker recovery scenarios) but if your goal is to always use the latest bucket confidence data, it should solve your situation without having to fallback to regular LCU that require a restart.
Hello, I made a test in Windows Server 2022, executed this 2 commands in powershell:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Then restart the server 4 times, the new certificate was downloaded but I am getting this message UEFI2023Status: Capable, KEKLastUpdateErrorReason: Firmware_MissingKEKInPackage, what this means the certificate is downloaded but not applied correctly?
Thanks.
It means that your firmware vendor has not provided a signed KEK to Microsoft (signed with the firmware's platform key). You have two options
- Contact your firmware vendor (probably fruitless)
- Check if there is a firmware update available, install it
- If the issue persists after installing the firmware update, and the firmware update is supposed to include the new certificates in the Default DB reset secure boot settings so that the default DB is used. Don't forget to suspend Bitlocker if you use it with TPM.
- Heather_Poulsen
Community Manager
Thank you to everyone who posted questions in advance or joined today's AMA live. We'll host our next edition on May 18. To add it to your calendar, visit Ask Microsoft Anything: Secure Boot - May 18, 2026
You mentioned the ConfidenceLevel registry value being useful to see which devices are under observation to potentially become high confidence in the future. There are also registry values showing an error state if one occurs when attempting the certificate update. Can the Intune Secure Boot status report get those values added to it so the report helps us determine which devices need manual intervention?
Bitlocker:
I am not sure if this has been answered. What is the expected behavior when it comes to enterprise deployment and the prompting of bitlocker recovery keys? Will customers be prompted for entering bitlocker keys due to the changes in BIOS?Bitlocker recovery key prompts are never expected to happen if the user does not tamper with their device or (inadvertently) boots from different boot media. During secure boot updates, Bitlocker recovery prompts have happened due to firmware bugs which should be remediated by now by Microsoft (until new ones pop up).
Need a way to update all secure boot certs without booting Windows. securebootrecovery.efi utility exists, but only updates Windows UEFI CA 2023 as far as I know. Need to be sure that mechanism to update bootloader related components can still be forced after updating all certs beforehand.
