Event details
397 Comments
Hi community, SochiOgbuanya Ashis_Chatterjee,
I am providing my PowerShell script below, which makes diagnosing the state across computers easier. It can be used locally or remotely, as a remediation script in Intune, or for exporting events. If you do not need all events, you can customise the script.
When using Event Viewer or Azure Monitoring, this XPath syntax can be used to fetch all relevant events.
In Event Viewer, you can create a custom view on a specific computer to monitor these events.
<QueryList> <Query Id="0" Path="System"> <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TPM-WMI'] and (Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=1032 or EventID=1033 or EventID=1034 or EventID=1036 or EventID=1037 or EventID=1043 or EventID=1044 or EventID=1045 or EventID=1795 or EventID=1796 or EventID=1797 or EventID=1798 or EventID=1799 or EventID=1801 or EventID=1808)]] </Select> </Query> </QueryList>function Get-SecureBootDbxEvents { <# .SYNOPSIS Collects Secure Boot DBX–related TPM-WMI events from the System event log, grouped by Event ID, with optional diagnostics, time filtering, and export. .DESCRIPTION This function retrieves TPM-WMI events associated with Secure Boot DBX update processing, as referenced in Microsoft KB5016061. To ensure reliable performance on systems with large event logs, each Event ID is queried in parallel using thread jobs, avoiding the 256‑event limitation of Get-WinEvent. The function supports optional diagnostics for Secure Boot, DBX, and TPM readiness, UTC-normalized time filtering, remote computer targeting, and structured export of collected events. .PARAMETER ComputerName Specifies the target computer to query. Defaults to the local machine. .PARAMETER StartTime Returns only events with a TimeCreated value greater than or equal to the specified timestamp. The timestamp is normalized to UTC to ensure consistent filtering across systems and time zones. .PARAMETER ExportCsv Specifies a file path for exporting all collected events in CSV format. .PARAMETER ExportJson Specifies a file path for exporting all collected events in JSON format. .PARAMETER Diagnostics Runs Secure Boot, DBX, and TPM readiness checks before event collection. .EXAMPLE Get-SecureBootDbxEvents -StartTime (Get-Date).AddDays(-7) Retrieves all Secure Boot DBX–related TPM-WMI events from the past seven days. .EXAMPLE Get-SecureBootDbxEvents -Diagnostics -Verbose Runs diagnostics and displays detailed progress information. .EXAMPLE Get-SecureBootDbxEvents -ComputerName SERVER01 -Diagnostics -Verbose Runs diagnostics and collects events from a remote server. .NOTES Event IDs are derived from Microsoft KB5016061. Requires read access to the SYSTEM event log and the Microsoft-Windows-TPM-WMI provider. .LINK https://github.com/cjee21/Check-UEFISecureBootVariables Related project to identify the current state around Secure Boot .LINK https://techcommunity.microsoft.com/users/karl-we/289393?wt.mc_id=mvp_338345 Contact the author .LINK https://support.microsoft.com/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69?wt.mc_id=mvp_338345 Microsoft Guidance on related Event IDs .LINK https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235#community-4469235-_option2?wt.mc_id=mvp_338345 Microsoft Guidance on Secure Boot Deployment .VERSION 1.2.1 # Version History (Semantic Versioning) # MAJOR version — increment when making incompatible changes # MINOR version — increment when adding functionality in a backward-compatible manner # PATCH version — increment when making backward-compatible bug fixes 1.2.1 - Added additional outputs about Secure Boot state after the output of logfiles 1.2.0 - Output per EventID to avoid hitting the maximum item count - Added per‑ID statistics (count, first, last) - Added color‑coded severity output - Grouped output per EventID - Remote computer support 1.1.0 - Added CSV and JSON export options - UTC-normalized StartTime filtering 1.0.0 - Initial release with: - Secure Boot / DBX / TPM diagnostics #> [CmdletBinding()] param( [string]$ComputerName = $env:COMPUTERNAME, [datetime]$StartTime, [string]$ExportCsv, [string]$ExportJson, [switch]$Diagnostics ) #region Event IDs from KB5016061 # These are the documented Secure Boot DBX update and remediation events. $EventIds = @( 1032, 1033, 1034, 1036, 1037, 1043, 1044, 1045, 1795, 1796, 1797, 1798, 1799, 1801, 1808 ) #endregion Event IDs from KB5016061 #region Time filter normalization # Detect whether StartTime was explicitly provided. $HasStartTime = $PSBoundParameters.ContainsKey('StartTime') # Convert StartTime to UTC for consistent filtering across systems. $StartTimeUtc = $null if ($HasStartTime) { $StartTimeUtc = $StartTime.ToUniversalTime() } #endregion Time filter normalization #region Diagnostics if ($Diagnostics) { Write-Verbose "Running Secure Boot, DBX, and TPM diagnostics on $ComputerName..." # Secure Boot state (local only) if ($ComputerName -ne $env:COMPUTERNAME) { Write-Warning "Diagnostics are local-only (Confirm-SecureBootUEFI/Get-SecureBootUEFI). Remote diagnostics not supported." } try { Write-Host "Secure Boot Enabled:" (Confirm-SecureBootUEFI) -ForegroundColor Green } catch { Write-Warning "Secure Boot state could not be determined." } try { Write-Host "New Secure Boot CA2023 deployed in Firmware / Windows Bootloader:" -ForeGroundColor Green [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' } catch { Write-Warning "Secure Boot state could not be determined." } try { Write-Host "Secure Boot CA2023 Status:" -ForeGroundColor Green Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot } catch { Write-Warning "Secure Boot state could not be determined." } # DBX variable try { $dbx = Get-SecureBootUEFI -Name dbx Write-Host "DBX Bytes:" $dbx.Bytes.Length -ForegroundColor Green } catch { Write-Warning "DBX variable could not be retrieved." } # TPM state try { $tpm = Get-Tpm -ComputerName $ComputerName Write-Host "TPM Present:" $tpm.TpmPresent Write-Host "TPM Ready :" $tpm.TpmReady Write-Host "TPM Version:" $tpm.ManufacturerVersion } catch { Write-Warning "TPM state could not be retrieved." } Write-Host "" } #endregion Diagnostics #region Parallel Fetch Write-Verbose "Fetching events per Event ID in parallel from $ComputerName..." # Thread-safe collection for results $Results = [System.Collections.Concurrent.ConcurrentBag[object]]::new() # Store job handles $Jobs = @() foreach ($EventID in $EventIds) { # Start a thread job for each Event ID $Jobs += Start-ThreadJob -ArgumentList $EventID,$ComputerName,$HasStartTime,$StartTimeUtc -ScriptBlock { param( [int]$EventID, [string]$ComputerName, [bool]$HasStartTime, $StartTimeUtc ) # Build filter for Get-WinEvent $Filter = @{ LogName = 'System' ProviderName = 'Microsoft-Windows-TPM-WMI' Id = $EventID } # Add StartTime only if provided if ($HasStartTime) { $Filter.StartTime = [datetime]$StartTimeUtc } # Query events and return selected fields Get-WinEvent -ComputerName $ComputerName -FilterHashtable $Filter -ErrorAction SilentlyContinue | Select-Object TimeCreated, Id, LevelDisplayName, Message } # end ScriptBlock } # end foreach EventID # Collect results from all jobs foreach ($job in $Jobs) { $out = Receive-Job -Job $job -Wait -AutoRemoveJob if ($out) { foreach ($evt in $out) { $Results.Add($evt) } } } #endregion Parallel Fetch #region Output Handling if (-not $Results.Count) { Write-Warning "No TPM-WMI events found for the specified criteria." return } # Group and sort events by Event ID $Grouped = $Results | Sort-Object Id, TimeCreated | Group-Object Id foreach ($Group in $Grouped) { $Events = $Group.Group | Sort-Object TimeCreated Write-Host "" Write-Host "===== Event ID $($Group.Name) =====" Write-Host "Count:" $Events.Count Write-Host "First:" $Events[0].TimeCreated Write-Host "Last :" $Events[-1].TimeCreated Write-Host "" # Color-coded severity output foreach ($Evt in $Events) { $Color = switch ($Evt.LevelDisplayName) { 'Critical' { 'Magenta' } 'Error' { 'Red' } 'Warning' { 'Yellow' } 'Information' { 'Cyan' } default { 'Gray' } } Write-Host ("[{0}] {1} - {2}" -f $Evt.TimeCreated, $Evt.LevelDisplayName, $Evt.Message) -ForegroundColor $Color } } # Export CSV if requested if ($ExportCsv) { Write-Verbose "Exporting results to CSV: $ExportCsv" $Results | Sort-Object Id, TimeCreated | Export-Csv -Path $ExportCsv -NoTypeInformation -Encoding UTF8 } # Export JSON if requested if ($ExportJson) { Write-Verbose "Exporting results to JSON: $ExportJson" $Results | Sort-Object Id, TimeCreated | ConvertTo-Json -Depth 5 | Out-File -FilePath $ExportJson -Encoding UTF8 } # Return sorted objects for pipeline use $Results | Sort-Object Id, TimeCreated #endregion Output Handling } # end function Get-SecureBootDbxEventsNICE! You may have saved us a LOT of work my friend!
I'll try this on M365 managed PCs and report back how your script works or can/must be adapted. (if I find time)
OK - forget it. 🤣
The bug mentioned here Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support on Windows Pro (Business) devices is real. 🙄
All device in our test ring are stuck on the dreaded Intune error 65000 (unspecific licensing issue), none have attempted to update yet. (How come all our VMs are already updated? 🤔)Until Microsoft gets this to work on Pro devices, we'll have to wait.
Fun fact: Since the bug lies with Intune, no amount of local log or registry crunching will give you any hint at what's going on.
This topic comes right in place to share what I saw on a old computer from 2013.
I read carefully the blog page on the topic: Updating Microsoft Secure Boot keys | Windows IT Pro blog
and the registry key settings:
https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#articlefootersupportbridge=communitybridge
If I understand properly, the task
Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”
is trying to update the UEFI with the new certificates. It is correct?
BUT the whole is missing a critical scenario: what if the UEFI do NOT support the update of certificates?
On my mainboard from 2013, an Asrock Z87E-ITX, with last bios 2.5 from 2018, out of support from Asrock for years already, running the task is having a very strange behavior on Windows 10 Pro:
- if the wifi is off, I get an error 1801 with "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware"
- if the wifi is on, the computer is freezing completely (exactly 5 min after start, matching the delay of the trigger in the task), nothing is written is any logs, as if the task trying to touch the UEFI will reach a critical address.
In the bios/UEFI on this machine, there is no way whatsoever to manage the keys and certificates. No way to read (and less to write). It seems Asrock did not implement the SecureBoot completely there...
And there is NO TPM chip on that board...So next question: what if the certificates are not updated in the UEFI? Should not the update within Windows be enough?
Lots of people are seeing the 'hang/freeze after 5 minutes' (Windows 10) when Task Scheduler runs 'Microsoft\Windows\PI\Secure-Boot-Update'. Numerous people (including me) started seeing this issue after January's ESU KB5073724. Reddit etc. is full of similar stories. I've been getting by by disabling the network (stopping NSI service at startup and enabling after 5 mins). Hopefully Microsoft will pick up on this and resolve things as it's hurting lots of people!
I've added my story to this Windows forum:https://www.tenforums.com/windows-updates-activation/222472-january-2026-esu-kb5073724-windows-freezes-after-4-5-minutes.html
Does it avoid the freeze if you set in registry
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
- AvailableUpdates = 0 (remember the previous value)
- HighConfidenceOptOut = 1 (you may have to create as DWORD if not present)
That way, the scheduled task should not pick up any Secure Boot update and future cumulative updates will not automatically try to install any Secure Boot updates either. On the other hand, you should try manually to install all the ones you can (without freezing) if you intend to have Secure Boot protecting your machine at the same level after June 2026. If you cannot install any of them, leaving Secure Boot on with old certificates is still more secure than turning it off.
Out of curiositry, in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
Can you look up BucketHash and ConfidenceLevel and post them here? Thanks.
- Arden_White
Microsoft
Hi Eric, I can help clarify this.
Event 1801 indicates that the Secure Boot certificates on the device have not yet been applied. It is marked as an error to make sure it stands out, since having current certificates is important for device security.
Wi‑Fi or network connectivity shouldn’t affect this process. Secure Boot does not rely on the network, and certificate updates do not require network access to complete. The updated certificates were included in last year’s monthly Windows updates, so any device that installed those updates already has the new certificates available.
What remains is the step where Windows applies those certificates to the device’s firmware. That final step can occur in several ways:
- Controlled Feature Rollout for devices receiving Windows Update directly from Microsoft.
- High confidence updates included in monthly cumulative updates for devices that have shown, through observed behavior, that they can successfully apply new Secure Boot certificates.
- Direct configuration by setting the AvailableUpdates registry key, or indirectly through Group Policy or Intune.
I don’t have specific information on ASRock firmware behavior, so I can’t speak to that. A TPM is not required for Secure Boot certificate updates.
After the Secure Boot certificates expire, devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.
What manual actions are required on Windows Server operating systems (2012 through 2022) for Secure Boot certificate renewal?
I am using SCCM/Microsoft Endpoint Manager to deploy OS updates to these servers. Some documentation indicates that no manual intervention is required and that the certificates should renew automatically. However, in our environment, the Secure Boot certificates have not been renewed yet.so looking for the clear instructions.
HI Karl-WE
I am using SCCM to manage the patching and Sending Diagnostics data to Microsoft, but still Auto renewal not yet Completed, getting error code 1801 on mostly servers, looking for your answer on below:- Firmware Update Prerequisite
What is the role of a firmware update prior to the certificate renewal? How can customers determine whether a firmware update is required, considering it is a time‑consuming activity for us? what are the event IDS we need to monitor for not compatible firmware. is any specific article for Azure Stack HCI Platform VMs? - Servers with Secure Boot State “Off” or “Unsupported”
Are any actions required on servers where the Secure Boot state is marked as Off or Unsupported? (Confirm-SecureBootUEFI) - Event IDs for Monitoring Renewal Status
As part of proactive monitoring, which event IDs should we track to confirm the successful completion of the certificate renewal process? - Rollback Plan
If any issues occur with the server or its applications after the Secure Boot certificate renewal, what rollback plan or procedure is available to revert to the previous certificates? - Microsoft Enforcement Timeline
By when will Microsoft enforce Secure Boot certificate renewal through cumulative updates in the case of automatic renewal?
kumarshai88hotmailco
Firmware Update Prerequisite
It is not a prerequisite, quite the opposite FW update can even revert when the FW would reset Secure Boot by a CA2011 platform key or manual / recommended "load bios defaults".
This would also trigger Bitlocker when not paused before the update.MSFT stated in the AMA that it may only update FW through Windows Update (LCU) before the CA2011 certificate expiration. After this point in time it becomes a manual job.
Servers with Secure Boot State “Off” or “Unsupported”
They will not get any updates to secure boot via LCU. Same consequences as in the one above
.Event IDs for Monitoring Renewal Status
I have provided a PowerShell Script for this, but it is buried in the comments. Link:;
Rollback Plan
The AMA didn't mention this. I greatly recommend going forward not backwards. If an application breaks bc. it relies on Secure Boot for Security / Attestation / Integration Checks, such as some Anti-Cheat apps today in the home market certainly do, the vendors need to update.MS spoke about that they will not revoke the CA2011 certificates anytime soon.
Microsoft Enforcement Timeline
this is already happening for a longer time now and the staged rollout (waves) becoming are larger.Baseline: any system not updated with DB, DBX, KEK with CA2023 will continue to boot but not receiving any Secure Boot related security fixes after CA2011 expiration. So systems boot with and without Secure Boot, but with Secure Boot enabled and expired cert it is no as safe as the updated one,
- Firmware Update Prerequisite
Please correct the error/misunderstanding regarding the GPO "Automatic Certificate Deployment via Updates"
Automatic Certificate Deployment via Updates
Enabled = HighConfidenceOptOut = 1
Disabled = HighConfidenceOptOut = 0
https://support.microsoft.com/en-us/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7>> correct description!
#######
Secure Boot playbook for certificates expiring in 2026
>> incorrect description at the End! (Should be "Enabled")- Arden_White
Good eye! I'll see about getting that changed.
I believe theGroup Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates page has the correct description.
Thank you so much for this AMA
- Q1A) What happens to VMware UEFI VMs, as well as Hyper-V, Azure Local and Azure generation 2 VMs that are isolated from the Internet?
Q1B) What is the step-by-step procedere to change their Secure Boot root certificate at scale? Especially the Platform Key (PK)? - Q2: Is there any dependency on the root hardware for VMware ESXi hosts or Hyper-V hosts and the certificate change?
- Q3A) What happens to end user devices at home or work or physical servers which will not or never receive any UEFI firmware updates after the old root cert, especially PK expires?
Answer for Q3A:The device will continue to boot and function normally. However, it will no longer receive future security fixes for Windows boot manager updates or Secure Boot, compromising the security of the device. Source: General Questions, Q4
- Q3B) Will devices with the old expired (insecure) Root Certificate still be functional and booting Windows or other OSes using Secure Boot?
If yes, how is it ensured and secure that they boot with an expired (or even tampered) certificate?
If no, do you have a step by step guide how to remediate a relevant amount of these outdated systems at scale?
Answer for Q3B:
The device will continue to boot and function normally. However, it will no longer receive future security fixes for Windows boot manager updates or Secure Boot, compromising the security of the device. Source: General Questions, Q4.
You might need to update the devices manually when the OS is still supported. How-To: Michael Niehaus (PS Module) / Gunnar Haslinger (Guide), please use Edge for in-line translation. - Q3C) When the (Windows or Linux) OS deployed the new keys into the Firmware, and the PK remains outdated (CA2011), then the customer / user updates the Firmware, will Windows boot?
Asking because often Firmware (UEFI / BIOS Updates) reset the keys or entering setup phase. When I understand this correctly the PK key is outdated and revert the updates made by the OS.
What is your guidance here?
Answer to Q3C:
Resetting the DB / KEK after it has been updated with a BIOS reset / Secure Boot Reset or BIOS Update that does not contain the CA2023 PK might tamper Secure Boot - as designed -
Windows will stop booting due to the Secure Boot Violation. This might trigger Bitlocker, Windows Hello (PIN) and other features.
Source: Customer / IT Managed Systems Q1 & Q7, ref to Bitlocker / Windows Hello (PIN) - based on own tests. - Q4) Could you please describe, if any, the dependency between the OS level update process in the Windows, Windows Server or Azure Local OS and the UEFI firmware?
Answer to Q4:
For Windows Server, Hyper-V things should go well as Microsoft will try to update both DB and KEK in the VM. Before that a workaround was required.
Source: Customer / IT Managed Systems Q5 / General Question Q7 - Q5) What happens to older OS that are receiving ESU, or do not receive ESU? Theoretically all devices since Windows Server 2012 R2, 8.1 could be configured with UEFI OS Secure Boot.
Answer to Q5:
Windows OS with ESU are considered supported / eligible systems. Unsupported OSes will not receive any updates. They remain bootable but Secure Boot becomes insecure. See Q3. - Q6A) Is there any obligation for OEMs and ISV - especially including retail mainboard manufacturers, such as MSI, Asus, Asrock, Gigabyte, Medion, Huawei, Intel etc.- to update their UEFI firmwares?
Answer to Q6A:
Appears there is no eligibity for OEMs or ISV / Retail to provide updates. Source: Please consult OEM pages. Retail is missing out. I am asking for further clarification, esp. for non OEM systems, or OEM systems that are unlisted.
Q6B) what is their timeline?
Q6C) will this include all mainboard models and chipsets, which still could run CPUs, certified for Windows 11?
Context: Thinking about some million of custom build (workstation) computers or gaming computers out there that are not "OEM" and eventually not managed by organizations. - Q7) How can we ensure that default Windows RE partitions across the board, or custom Windows PE images are updated and compliant with the new Secure Boot root cert?
- Q8) Are Linux distros adopting this change?
Context:
When Microsoft adapted Secure Boot there was a large fallout with Linux distros which didn't support UEFI at all in grub /Kernel. Thankfully this has changed so no one has to turn off Secure Boot for using Windows and Linux on the same hardware.
Preliminary note:
My own tests are not running good! When Windows 11 has updated Secure Boot, Distros with older CA2011 certs cause a boot violation (as per design). - Q9) Are other vendors adopting the change?
Context:
Other vendors in business and non business bootable devices, including backup vendors, partition tools, driver and firmware updater - ISOs or USB creation tools by HPE, Dell, Seagate, Samsung etc.
My concern is that they will keep using the expired UEFI root certs, which could deny booting.
Macrium Reflect X is the first product I see that has implemented a choice for the new or old root certificate for Windows RE /PE rescue media.
added Q3C, having a better understanding.
added answers and sources, as per current availability pre this AMA event.
- Arden_White
Great questions. I'll do my best to answer some of these.
For Q1A&B and Q2)
In general, virtualized environment are like virtual OEMs. If you create a new VM in these environments, there's a good chance they'll come with the new certificates. For long running VMs, they'll need to be updated like existing machines in your environment. I'm not familiar with the ins and outs of these environments. A couple of details that I'm aware of:- Hyper-V support to allow KEK updates is expected to be available in March.
- VMware has some details on their site.
Q3A)
The firmware does not care about certificate expiration and will continue to use the certificates after they expire. The need to update certificates is 1) good PKI practice, 2) necessary to continue signing binaries/programs. The new certificates will allow signing of the Windows Boot manager, future Secure Boot updates, third-party boot loaders and Option ROMs. Without the new certificates, components signed with these certificates will not be trusted by the firmware.
6) There are many nuances to this question. I'll try to give some details
- If the device came with UEFI Secure Boot support and had the Microsoft certificates from 2011. That's a good start.
- If the firmware code for processing the certificate updates operates correctly, then that should allow the three certificates for the DB to be updated without issue.
- The KEK is more complicated. To allow Microsoft's KEK to be applied to a device, it should be signed by the device's Platform Key (PK). Microsoft has been working with OEMs to sign the KEK with their PK and send it back to Microsoft to be included in the cumulative updates. For the manufacturer of devices that have done this, the KEK update should work as well - again assuming no issues with the firmware performing the updates. If there is no PK signed KEK for a device, Windows will emit an 1803 event.
Q7) The Windows RE is using the same certificates and boot loader as the main OS and should not need updating. Bootable images such as PxE, USB drives, etc. will continue to work assuming the device has both the 2011 and 2023 certificate. If you add the 2011 certificate to the DBX, then bootable images will need to be updated to use the 2023 signed boot loader.
Q8) I don't know much about Linux distros. I know there are people in our team that are regularly working with the Linux community and care deeply about it. Adding the new certificates should not affect the trust of Linux since the existing trust is not removed. I don't know why the boot violations would occur.
Karl-WE
You have asked a lot of the questions I would have wanted answers to and more!
I have not seen Microsoft publish answers to the questions you ask, let's hope we can learn more at the AMAThis looks, like a lot of work for a lot of people to resolve all the issue arising from getting all our Secure Boot certificates updated.
Yesterday when I first heard about this after reading an email. I thought I would kick thing off by running the script on work laptop. So, my laptop which is only 2 years old does need its certificate updating. Now I spent a good few hours trying to update the certificate, but my laptop is stuck 'InProgress' and from all the research I have done it looks like a repair install is the only way it can be fixed.
So now I have another 53 client devices and 6 servers to check over and resolve. Due to a lack of budget where I work, we still have few client computers running Windows10, thanks a bunch Microsoft for keeping me in Job!- Kevin-Sullivan
Sorry to hear about the issue with your laptop update. We'd appreciate if you can file feedback for that device.
Send feedback to Microsoft with the Feedback Hub app - Microsoft Support
These are the most comprehensive guidances I have found and some questions from above are answered in these. I would still like to have them answered in one place or suggest a single "Q&A" page based on relevant comments of the previous and the upcoming session.
1. Guide 1: Very complete: Secure Boot playbook for certificates expiring in 2026Thanks HeyHey16K for sharing the previous session. Please check the comments of this session.
WARNING: When using the GPO to enable the settings, that GPOs are marked. This means you can only configure them one time and then they will stick. Removing or reverting via GPO does NOT work!
The registry settings that directly edit required HKLM items could be reverted. For Example with a GPO Client Side Extension Registry item (GPO WinXP Look).
2. Guide 2: https://support.microsoft.com/en-gb/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f
the first script has an issue, using Write-Verbose instead of Write-Host.
Write-Verbose would only work if you save the script to a file then executing the file in PS with -verbose
Otherwise it will not give any output and just the error is there is any.
Also this guidance does not contain the required settings for the registry / GPO etc, but other information how to collect data.
- Q1A) What happens to VMware UEFI VMs, as well as Hyper-V, Azure Local and Azure generation 2 VMs that are isolated from the Internet?
Is it valid to check for EventID 1808 to confirm that all certificates are updated ?
For devices that don't use autopatch (on networks not connected to Internet) will the CU have the information bundled in it to automatically kick off the high confidence deployment?
From January CU release notes:
Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates
This seems to indicate applying the CU on its own is enough for this subset of devices, Windows Update/Autopatch connectivity not needed?
- Arden_White
Installing the January cumulative update does include the high confidence targeting data for some client devices, and the number of high confidence devices will increase over the coming months. This allows Windows to identify many devices that are eligible to automatically receive the new Secure Boot certificates without requiring Windows Update or Autopatch connectivity.
However, this applies only to the subset of devices covered by the high confidence data included in the update. It is still important to monitor deployment results in your environment. Event 1801 can help indicate when a device needs attention.
Devices that fall outside the identified high confidence subset require customer‑managed deployment, and this is especially true for servers and IoT systems. These device types are not expected to receive automatic updates and must be updated manually using the guidance in Secure Boot Certificate updates: Guidance for IT professionals and organizations.
Hey guys 👋,
In the last Secure Boot AMA (https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) someone asked about the UEFICA2025Status Reg Key showing an unexpected status of "NotStarted". You responded to say you would investigate and advise what to do in this situation. We have this in our environment. When will we be told what to do please?Saw this only on computers that have a patching problem. See article:
https://support.microsoft.com/en-us/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7
October or November 2025 patch level is requiredFrom my understanding, the AvailableUpdates (0x5944) reg key needs to be applied and then a manual fire-off of the scheduled task needs to happen afterward. Once I did this, in this order, the status of UEFICA2023Status went from “NotStarted” to “InProgress”. It took me about 2-3 reboots for changes to take effect.
Questions I hope to have answered are below:
- Are all 3 certificates (2 DB and 1 KEK) required to rotate in? How many certificates do we need to check for to meet compliance? Some are checking for just one, some are checking for 3… which is it?
- If one certificate is missing in either the DB or KEK databases, is a firmware upgrade of the BIOS required?
- According to the documentation, there is an option for “Controlled Feature Rollout” using Microsoft Update Managed certificates (MicrosoftManagedUpdateOptIn). Not too concerned about the level of telemetry that is pulled; however, just curious if this is something that customers can turn on to quickly retrieve these certs. Or if it’s necessary for future cert rotations.
- And! What happens if a computer doesn’t have Secure Boot enabled? Or if Secure Boot is enabled, what happens to that device if not compliant by June of 2026?
Prabhakar_MSFTSetting 0x5944 does not require manual intervention to trigger the update. The Secure Boot Update schedule task is configured to execute 5 mins after the boot and then once every 12 hours. Task will automatically apply the certificates if task detects the setting in the next execution. The task can also be triggered manually to allow immediate application of the certificates.
Below are answers to your questions:
1) There is total 4 Certificates (3 in DB and 1 in KEK). Devices in Secured Core configuration that does not trust Microsoft UEFI CA 2011, only require 2 certificates (Microsoft Corporation KEK 2K CA 2023 and Windows UEFI CA 2023). Setting 0x5944 will ensure applicable certificates are deployed based on device configuration.
2) Some devices may have issues applying the certificates. It is recommended to apply latest available firmware updates from device manufacturer and then retry the certificate updates.
3) MicrosoftManagedUpdateOptIn enables Microsoft to leverage CFR (Controlled Feature Rollout) mechanism to safely rollout the certificate updates in the environment. This requires enterprises turning on Required diagnostic data. For more details on how to enroll to this setting, refer to https://aka.ms/getsecureboot
4) Secure Boot not enabled devices are not in scope for certificate updates. Devices will continue to receive the applicable security updates. We recommend enabling Secure Boot if device is capable to ensure devices get all Boot Security Integrity features.
Hi, any news/eta of the reporting capabilities in Intune to see which devices have the new cert?
thksI now see the new Secureboot report in Intune.
thksI would like to know this too.
