Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

 

This event has concluded. Follow https://aka.ms/securebootplaybook for announcements about future Secure Boot AMAs.

Get started with these helpful resources

Heather_Poulsen
Updated Feb 19, 2026
AMA

364 Comments

Show More
  • Darbo1982's avatar
    Darbo1982
    Occasional Reader
    Feb 05, 2026

    the newest ADMX/ADML template files contain settings to control the Secure Boot cert push/etc. is this actually needed?

  • clreid1286's avatar
    clreid1286
    Occasional Reader
    Feb 05, 2026

    When updating Server 2025 running on a VMware environment we are seeing the registry indicating a successful update, but not getting an event of 1808 to indicate it was successful in the update.  We are also not seeing any errors in the event viewer.  Are we safe to assume a successful deployment or that we will get a successful deployment at some point?  Is there something else we need to do to verify deployments are successful?

  • DaveA24's avatar
    DaveA24
    Occasional Reader
    Feb 05, 2026

    How will I know when Microsoft have released certificates to all of my enterprise estate, and anything not updated will require some form of remediation?  I feel a little lost not knowing if I'm in the current deployment ring or not

  • Curtis_Sawin's avatar
    Curtis_Sawin
    Icon for Microsoft rankMicrosoft
    Feb 05, 2026

    When will Windows 365 gallery images contain the new secure boot certificates?

     

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager
      Feb 06, 2026

      Thanks for your participation! Panelists covered this topic at 53:39 during the live AMA.

  • lord_eddard_stark's avatar
    lord_eddard_stark
    Copper Contributor
    Feb 05, 2026

    For manually installing the Secure Boot certificate update, is updating the BIOS the only way to do it? If I’m remembering correctly, the Microsoft-provided steps mainly prepare the device to receive the update from Microsoft, but don’t actually provide a way to manually install it. Can you confirm?

    Deploy certificates with registry keys

    Deploy certificates via WinCS

    Deploy certificates using Group Policy

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager
      Feb 06, 2026

      Thanks for your question! Panelists covered this topic at 54:10 during the live AMA.

  • fxatac's avatar
    fxatac
    Occasional Reader
    Feb 05, 2026

    Will there be native Intune reporting capabilities for monitoring the Secure Boot update?

    • HeyHey16K's avatar
      HeyHey16K
      Steel Contributor
      Feb 13, 2026

      There was briefly an Intune report but Microsoft revoked it due to issues. Hopefully it will return soon 🤞

  • jeddunn's avatar
    jeddunn
    Copper Contributor
    Feb 05, 2026

    If a device has the new certs installed and booting on the new certs, will the UEFI2023Status in the registry be set to Updated? 

  • gman1138's avatar
    gman1138
    Copper Contributor
    Feb 05, 2026

    Just wanted to double check, you said if you're enrolled into any kind of management solution for updates i.e. WSUS,  you won't get the CFR. 

    Does this include Windows Update for Business and Autopatch via Intune?

  • kev403's avatar
    kev403
    Copper Contributor
    Feb 05, 2026

    Are the cert updates available through SCCM for endpoints that don't have access to Windows Update?

  • MattCasper's avatar
    MattCasper
    Copper Contributor
    Feb 05, 2026

    We see the Secure Boot report in Intune for all of our devices even though they are not all enrolled in Autopatch. Is this expected and would this be accurate? 

    Also, the report shows a certificate status as one value, but when you export the report to a CSV, all the values are different (all changed to 'Not applicable'. Has anyone else reported this?