Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Apr 21, 2026
AMA
ClientAdmin's avatar
ClientAdmin
Brass Contributor
Mar 12, 2026

Currently there's only a GPO (ADMX) to do the update of the certificates. Are you also working on a GPO (ADMX) for the "revocation" (dbx) of the 2011 certificates?

Jason_Sandys's avatar
Jason_Sandys
Icon for Microsoft rankMicrosoft
Mar 12, 2026

Hi ClientAdmin​,

Not at this time no as we have no plans on adding these certs to DBX since they are needed to validate existing boot critical components signed by these certs. Adding these certs to DBX now would completely break Windows unless we intended to update and re-sign all boot critical components with the new certs but we have no plans on doing this since there is no value in doing this.