Event details
177 Comments
Is it true, once the expiration date has passed, there will be no way to update the certificates after the fact? No tool or utility for client end (I've heard MFGs are making Server hardware tools possible)?
No, this is not true. Certificate updates that have already been signed before expiration (which includes all the updates this whole topic is about) can still be applied after the expiration date. Only new boot managers or new KEK/DBX updates can no longer be signed by Microsoft (by the old certs) once the expiration date passed.
Is there an intune export that can tell me which of my global devices are on the new certs or the old ones? I don't overly care which devices are high confidence, I care more about which ones are already done and which ones aren't?
Yes, there is one available within Reports> Windows Quality Updates> Secure Boot Status
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/SecureBootReport.ReactView
How Hyper-V env will work ? All Virtual Machines will be ok, if a hyper-v host will have new certifiacates?
Prabhakar_MSFTMicrosoft
Hi Marcin_Kolodziejczak, Hyper-V host updates does not change the existing VMs that did not already have the new certificates. All new Hyper-V VMs created have the new certificates pre-installed. If you have long running VMs, certificates need to be deployed. Microsoft will be updating the VM devices as part of high confidence based roll out in the future update. You can also apply the certificates to firmware by configuring AvailableUpdates registry value to 0x5944 after updating VM device to latest available windows patches.
Thank You for your answer !
Which OS flavours does this apply to ??
- Prabhakar_MSFT
Hi @Sanjeev0112 The certificates apply to all Secure Boot enabled devices including Windows server 2012 and up
- Heather_Poulsen
Community Manager
Welcome to today's Secure Boot AMA! We'll start with the questions posted in advance below, but keep them coming and we'll do our best to help.
Hi
question:
Lets say I will update our cert via Intune or Registry keys. What will happen if I will have to reset UEFI for some reasons?
Will the new cert stay or I will have to install them again?Can you confirm please, is event ID 1808 absolute confirmation that the certs are all in place and there's nothing left to do. Thanks.
- Mabel_Gomes
Yes, correct. Event ID:1808 confirms that the device has the required new Secure Boot certificates applied to the device’s firmware and there is no other action required in this certificate update process.
I can say Event ID 1808 is not absolute confirmation. I have seen systems have the cert and not have that EventID
- Mabel_Gomes
Event ID 1808 used to be logged on every startup. As a result, if Boot Manager or certificates were updated after the device had already booted, Event ID 1808 would not appear until the next restart.
Starting with the April 2026 Windows security update, this behavior has changed. Event ID 1808 is now logged a soon as the update is applied.
What telemetry level should we have set in our org for the certs to properly install? Currently we have them set to blocked here and I know that is wrong, but I'm unsure what would be correct for this case. Is there any sort of guidance available for this?
Answered twice in the video, basic/recommended telemetry is enough if you want to take part in the CFR process. In case your machines are managed, in addition to enabled telemetry, you also need to set the Managed Device Opt In so that you take part in CFR. If you don't take part in CFR, you will get the certificates only for High Confidence devices via the LCU.
I got to the report in Intune, but is there a way to get better data besides yes/no, not applicable? the results appear to be random in nature and not sure if it's properly reporting on secure boot status. I have multiple new computers that were purchased and distributed around the same time and some are and some aren't showing as set to secure boot. I thought this was set on by default these days.
Will Microsoft keep updating the High Confidence list after the 2011 certificates expire for devices that we configure for High Confidence before deploying?
You've mostly answered my question. I was looking for if we need to skip the High Confidence configuration to meet the deadline
I am unsure what deadline you are talking about. Depending on what devices you are using, not all of them may become High Confidence by June. So if you want to make sure to have those devices updated, you need to manually push the updates.
