Event details
Whether you're actively managing device security or planning your next steps, this AMA is your opportunity to connect directly with Microsoft experts and get clear, actionable guidance on updating Secure Boot certificates and monitoring status of update efforts.
Bring your questions on rollout plans, challenges, reporting, and best practices. We’ll cover real-world scenarios, common challenges, and the steps you can take to confidently navigate the process.
If Secure Boot certificate updates are on your project list—or you just want to make sure you’ve updated certificates successfully across your estate—this live, interactive event will help you move forward with clarity and confidence.
Browse our most recent AMAs
Get started with these helpful resources
82 Comments
- KevHalIron Contributor
Azure Virtual Desktop Session Hosts does not KEK update, just errors with Firmware_Unknown. States it cannot update Azure VM's. Is this true? whats the alternative
- terrylee26Occasional Reader
Thank you for the session. Most of my questions have been answered.
We have Intune managed endpoints, Azure Virtual Desktops and Azure Virtual Machines to managed with a combination of Intune and GPO. A mixture of these machines have secure boot turned off. Will those machines become inherently vulnerable, and not updated if they were to have secure boot turned on at a later stage? - ChaseVandaliaCopper Contributor
What determines if a device falls into the High Confidence bucket? We have lots of older model devices that are high confidence but most of our newer models have not.
- Geoffrey KoontzCopper Contributor
When should I tick this box on my sccm boot image?
- tom76dc1Copper Contributor
We have a small number of remote devices with no local IT support where Secure Boot is currently disabled. Will the KEK and DB updates still be applied to the bios on these devices while Secure Boot is inactive, or does the update process strictly require Secure Boot to be enabled to write the new certificates?
- ChaseVandaliaCopper Contributor
What determines if a device falls into the High Confidence bucket?
- Just-a-WallyCopper Contributor
The Playbook makes this reference -
https://support.microsoft.com/en-us/topic/sample-secure-boot-inventory-data-collection-script-d02971d2-d4b5-42c9-b58a-8527f0ffa30b
IMPORTANT This article containing the sample script has been retired. Starting with the Windows updates released on and after May 12, 2026, the sample script is located in the %systemroot%\SecureBoot\ExampleRolloutScripts folder on your device.
Our machines are fully patched and updated - but this folder does not yet exist. - kamlieCopper Contributor
On OEM devices that are not getting firmware updates, how do we update the cert manually and a suggested way to roll out enterprise environment if they are not in high confidence bucket after june update? setting the registry key to x5944 moves to in progress but the device is in the temporarily paused bucket
- lalanc01Iron Contributor
Since we're June and most device confidence level is still not High Confidence, should we do the cert update ourselves via the registry key so that we're done on time?
- yyagiTin Contributor
So one of our servers is "up to date" with the secure boot certificate, but we did nothing to it to update. How do we know which servers Microsoft is updating? Other VMs in the same host are not able to update because it looks like of some firmware update. Which is weird because the one that is up to date is on the same VM Host.