Event details
What manual actions are required on Windows Server operating systems (2012 through 2022) for Secure Boot certificate renewal?
I am using SCCM/Microsoft Endpoint Manager to deploy OS updates to these servers. Some documentation indicates that no manual intervention is required and that the certificates should renew automatically. However, in our environment, the Secure Boot certificates have not been renewed yet.
so looking for the clear instructions.
HI Karl-WE
I am using SCCM to manage the patching and Sending Diagnostics data to Microsoft, but still Auto renewal not yet Completed, getting error code 1801 on mostly servers, looking for your answer on below:
- Firmware Update Prerequisite
What is the role of a firmware update prior to the certificate renewal? How can customers determine whether a firmware update is required, considering it is a time‑consuming activity for us? what are the event IDS we need to monitor for not compatible firmware. is any specific article for Azure Stack HCI Platform VMs? - Servers with Secure Boot State “Off” or “Unsupported”
Are any actions required on servers where the Secure Boot state is marked as Off or Unsupported? (Confirm-SecureBootUEFI) - Event IDs for Monitoring Renewal Status
As part of proactive monitoring, which event IDs should we track to confirm the successful completion of the certificate renewal process? - Rollback Plan
If any issues occur with the server or its applications after the Secure Boot certificate renewal, what rollback plan or procedure is available to revert to the previous certificates? - Microsoft Enforcement Timeline
By when will Microsoft enforce Secure Boot certificate renewal through cumulative updates in the case of automatic renewal?
kumarshai88hotmailco
Firmware Update Prerequisite
It is not a prerequisite, quite the opposite FW update can even revert when the FW would reset Secure Boot by a CA2011 platform key or manual / recommended "load bios defaults".
This would also trigger Bitlocker when not paused before the update.MSFT stated in the AMA that it may only update FW through Windows Update (LCU) before the CA2011 certificate expiration. After this point in time it becomes a manual job.
Servers with Secure Boot State “Off” or “Unsupported”
They will not get any updates to secure boot via LCU. Same consequences as in the one above
.Event IDs for Monitoring Renewal Status
I have provided a PowerShell Script for this, but it is buried in the comments. Link:;
Rollback Plan
The AMA didn't mention this. I greatly recommend going forward not backwards. If an application breaks bc. it relies on Secure Boot for Security / Attestation / Integration Checks, such as some Anti-Cheat apps today in the home market certainly do, the vendors need to update.MS spoke about that they will not revoke the CA2011 certificates anytime soon.
Microsoft Enforcement Timeline
this is already happening for a longer time now and the staged rollout (waves) becoming are larger.Baseline: any system not updated with DB, DBX, KEK with CA2023 will continue to boot but not receiving any Secure Boot related security fixes after CA2011 expiration. So systems boot with and without Secure Boot, but with Secure Boot enabled and expired cert it is no as safe as the updated one,
Firmware Update Prerequisite
It is not a prerequisite, quite the opposite FW update can even revert when the FW would reset Secure Boot by a CA2011 platform key or manual / recommended "load bios defaults".
This would also trigger Bitlocker when not paused before the update.MSFT stated in the AMA that it may only update FW through Windows Update (LCU) before the CA2011 certificate expiration. After this point in time it becomes a manual job.
Servers with Secure Boot State “Off” or “Unsupported”
They will not get any updates to secure boot via LCU. Same consequences as in the one above.
Event IDs for Monitoring Renewal Status
I have provided a PowerShell Script for this, but it is buried in the comments. let me fetch.
