Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Apr 21, 2026
AMA
nilisvw312's avatar
nilisvw312
Copper Contributor
Mar 13, 2026

How does Microsoft see what is needed for PXE boot with WINPE/MDT/SCCM etc?
After the 2011 certs expire is it correct to assume that the installation of Windows 11 via pxe boot etc is still working? As long as the bios fw has the 2011 (and 2023) certs available?

So nothing needs to be changed towards boot images signed binaries unless the device only has 2023 certs in fw?


Also that means that after fresh install of W11 you always need to update the 2023 certs in Windows boot manager to get the security updates?

Is this the case till we get a W11 version which is signed with the 2023 certs and requires boot images to have the 2023 signed binaries? So in this case you need to update the pxe/winpe/boot images?

InterstellarOverdrive's avatar
InterstellarOverdrive
Copper Contributor
Mar 13, 2026

I asked them the same question. As far as I understand, the old boot images will continue working during PXE Boot, as long as the old certificates (the ones from 2011) are present in the UEFI store. If the old certificates are revoked, we need to create new boot images, possibly using new Windows ADK.