Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

On the panel: Arden White; Scott Shell; Richard Powell, Kevin Sullivan

 

This event has concluded. Follow https://aka.ms/securebootplaybook for announcements about future Secure Boot AMAs.

Get started with these helpful resources

Heather_Poulsen
Updated Feb 19, 2026
AMA

364 Comments

Show More
  • saranrajappa's avatar
    saranrajappa
    Copper Contributor
    Feb 05, 2026

    1. When we set the CSP as

    (a) HighConfidenceOptOut = Disable

    (b) MicrosoftUpdateManagedOptin = Enable

    (c) AvailableUpdates = Enable, When the

    certificate deployment starts? provided device has latest firmware and patch (meeting requirement for secure boot)?

  • knmcelhaney's avatar
    knmcelhaney
    Copper Contributor
    Feb 05, 2026

    Am I correct in assuming that the default db will only be updated by an OEM's BIOS update? In other words, Microsoft updates would only update the Active db, and never the default. Follow up question: What is the risk of not updating the default db when the active db is up to date?

  • Darbo1982's avatar
    Darbo1982
    Occasional Reader
    Feb 05, 2026

    Aside from creating the intune configuration, is there a way to report success or readiness

  • sarahstarIT's avatar
    sarahstarIT
    Occasional Reader
    Feb 05, 2026

    so if you are saying that you are looking after the consumer updates so they dont need to worry about the cert? why as organization with 6k machines I need to do anything ? thanks  

    So the cert is already on OS this is a plan to make sure that it will be deployed properly to the bios? 

    • mihi's avatar
      mihi
      Copper Contributor
      Feb 05, 2026

      Organizations tend to block telemetry, that's why Microsoft cannot look after them :)

      All of this is updating your UEFI firmware (which nowadays usually does not contain a BIOS any more) to have the latest certs, and to switch your installed system to actually use them.

  • Id_Jamie's avatar
    Id_Jamie
    Copper Contributor
    Feb 05, 2026

    have we got event id' to validate if all the default certs have been updated and not just current.

  • xrpfan1337's avatar
    xrpfan1337
    Copper Contributor
    Feb 05, 2026

    What is Microsoft's recommendation for managing firmware on Surface devices for customers using WUfB?

    Assuming from an effort perspective that Enabling Driver Update policies is better than custom SCCM deployments.

  • jeddunn's avatar
    jeddunn
    Copper Contributor
    Feb 05, 2026

    Can you clarify what needs to be done to a MECM environment to prepare for this?

  • Joerg1's avatar
    Joerg1
    Occasional Reader
    Feb 05, 2026

    can you give instruction on the boot medium, that boot with 2011 keys and can upgrade the new boot manager in the case that windows does not start anymore, because the new keys in db are reset to 2011?

  • HRamos's avatar
    HRamos
    Copper Contributor
    Feb 05, 2026

    How does a large enterprise confirm/validate that their machines in their fleet have the certs in place and activated?  Specifically, if they are mixed with some SCCM and some Intune?  It is a manufacturing company with the plants still on SCCM/WSUS vs Corporate/Windows Update for Business.

  • gman1138's avatar
    gman1138
    Copper Contributor
    Feb 05, 2026

    So is the general advise

    If you have a common Dell, Lenovo, Sufrace device you 'should' be fine just to make sure the UEFI / BIOS is up to date, and then leave it for Microsoft to update the certificate on the client via CFR? 


    If you have some wacky bit of hardware, like custom built gaming pc, odd meetingroom system, then you might need to manually add the reg key manually to tag it as a known good system?