Event details
Can someone please clarify: if all our devices already have Secure Boot enabled and device telemetry is also turned on, will they automatically receive Secure Boot certificate updates through Autopatch?
Or do we still need to deploy the configuration profile that enables Secure Boot certificate updates?
Currently, most of our devices are showing an “Under Observation” status in the Secure Boot report, and I want to confirm if any additional configuration is required.
You may want to ask your question on the May 2026 AMA if you want an answer from Microsoft :-)
If your machines are part of a Windows domain (I would assume they are), they won't receive Secure Boot updates via CFR (telemetry) unless you have ManagedDeviceOptIn policy enabled.
In your scenario, without setting that policy, Secure Boot updates will be received only via LCU (bundled in cumulative updates). Therefore, your devices should eventually receive the new certificates, just not via CFR.
Thanks. My only concern is 90% of devices are in "under observation " state. Can we do anything to speed it up? We have total 30k devices and we want to make sure to push this to all the devices before expiry.
You can speed this up by
- Enabling Managed Device OptIn
- Pushing them manually via AvailableUpdates
The risks of doing so are low, but with such a large fleet of (I presume) different devices there may be one or other that will cause issues. But I guess you will have to bite one of the bullets.
Also note that expiry of the KEK or DB certificate is in no way a hard deadline for performing certificate updates. The certificate updates can and will still continue after expiry (as the update files have been signed with the old certificates beforehand) in the same way as before, and once your devices are updated they will receive the latest boot components and Secure Boot revocation updates again.