So our devices have SecureBoot enabled, but we did not receive CA 2023. When will we receive it?

Thank you for your participation in today's Ask Microsoft Anything! Below is a recap of the questions the panelists answered live, along with associated timestamps: 

Question – What happens if you set the registry settings on a device that is still using Legacy BIOS? Is the update process smart enough to ignore those devices? – answered at 0:46.

Question – Our company does not allow us to use Intune. Are there any helpful tools or scripts to Inventory? – answered at 1:59.

• For more info, go to aka.ms/GetSecureBoot

 

Question – During the February AMA, you en-phased that enterprises should leverage Intune and build their own dashboard to monitor secure boot states. The guide requires Enterprises licenses. As an MSP that manages thousands of devices with Business Premium Plan for multiple customers with Intune and Lighthouse it doesn't make sense. Is there a plan to monitor those states via a compliance policy instead? And also.. regarding the secured boot compliance policy that will happen to devices that will still have an old certificate, will they continue to show as compliant with the 2011 certificate? – answered at 3:24.

Question – Could you confirm that the Secure-Boot-Update scheduled task expects Microsoft's Owner GUID on Microsoft's signatures in Secure Boot? We customize the Secure Boot content and it seems that a different GUID causes the task to break the behavior of GetFirmwareEnvironmentVariableA() (used by BitLocker in other things). Could you also confirm that updating the firmware SVN (4th step of the revocations) only consists in adding SVNs to the DBX? And that for testing purposes, resetting the DBX is enough to cancel the rollback prevention? – answered at 6:03.

Question – "The KEK update (needs to be signed by the OEM because they own the PK) is required before June 2026." It's very possible I'm lost in the sauce, but I remember Scott in the December AMA saying that the various (existing) key/cert updates continued to work past 2026. This ties into the timestamping question you also responded to which I need to re-read.– answered at 9:20.

Question – If I ignore this and do nothing, will devices with (or without) secure boot enabled continue to boot? – answered at 10:38.

Question – What is the timeline of assisted Controlled Feature Update? Are you planning to roll out the Secure Boot Cert. Update to 100% of devices before June 2026? Or should we already prepare the alternative ways to update the devices (registry, GPO or Intune policy)?  – answered at 12:05.

Question – Seeing some devices running on Hyper V with the March 2026 updates applied, some Server 2019 servers show updated, but capable = 0 other server 2019 same build same patch level shows updated and capable = 2. is this expected behavior that this status is different between these two VM's? – answered at 14:29

Question – What would be the impact of blanketly applying this policy setting?  Enable Secureboot Certificate Updates: – answered at 16:02.

Question – Are these updates Bitlocker aware? Do we need to suspend bitlocker for 2-3 reboots during this process?  – answered at 17:12

Question – We've successfully updated some of our devices with the 2023 cert, and tested how PXE boot in SCCM would work. PXE boot worked fine when both 2011 and 2023 certs were enabled, which makes sense, and after revoking the 2011 cert, did not work, since the boot.wim doesn't contain the 2023 cert. A couple of questions:
-Will the boot.wim naturally get the 2023 cert, if we keep SCCM/Windows SDK up-to-date?
-Once we pass June 2026, will devices that didn't successfully get the 2023 cert yet still be able to PXE boot? – answered at 18:25.

Question – How can we get a compliance report if we do not use AutoPatch? – answered at 23:35.

Question – What is the timeframe for the cert to upgrade if we leave the LCU to do the job based on a high confidence level compared to enabling the CFR settings? – answered at 23:51.

Question – How important is it that the system already boots trusting the 2023 cert instead of the 2011 cert? Is it okay for the system to continue booting using the 2011 cert as long as the 2023 KEK and DB certificates install? – answered at 26:48.

Question – I have deployed the secure boot remediation through Intune and I see event ID 1801 that says the certificates are available but not applied and the BucketConfidenceLevel shows Need more data. Do i need to take any action on that? – answered at 29:37.

Question – Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates? Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher. – answered at 33:02.

Question – I noticed that some of my clients (around 5% so far) updated only two of three Secure Boot Certificates. Intune Remediation script shows the following output: Microsoft UEFI CA 2023 = False, Microsoft Corporation UEFI CA 2011 = True. Two other certificates are showing "2023" data string. Is it expected that not all the certificates are updated at the same time? – answered at 35:24.

Question – Will Microsoft release an OS upgrade that requires the EFI partition to be signed with the 2023 certificate? If so, is this expected in Windows 11 26H2, and has Microsoft announced anything about this? We want to avoid upgrading devices if it will re-sign the EFI partition before the new certificates are installed. – answered at 38:23.

Question – Can Secure Boot certificates be updated when Secure Boot is disabled? Microsoft’s AvailableUpdates process errors out unless Secure Boot is enabled. If a device won’t boot Windows with Secure Boot on, how can we bring it into compliance? – answered at 42:14.

• Follow aka.ms/GetSecureBoot for the latest updates and new tools/guides.

Question – Does Server 2025 automagically comply? Both fresh install & Server 2022 update?

 – answered at 47:15.

• For more info, go to aka.ms/SecureBootForServer

Question – Will devices that have 2023 cert already require a boot.wim that has 2023 cert once June 2026 has passed? – answered at 49:00.

Question – How long will the 2023 certs last? Will this process need to be repeated when that happens? – answered at 50:47.

Question – I manually updated the registry on a device, set it to 22852, and forced the Scheduled Task to start, waited 30 seconds and forced a reboot, and the server (server 2019 VM in hyperv with the latest march patches) and it restarted several more times on its own before it settled down and showed updated. Not sure if several reboots are going to be required every time, of if me forcing things my running the scheduled task had this effect. – answered at 52:59.

Question – In the March 2026 release notes it says this: “With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.” Could you tell us more about this? - my guess is that you need telmetry on to have this nice feature/support?  – answered at 55:27.

Question – How will Windows Update behavior change post-expiration on devices that haven't trusted the 2023 keys? Will they continue to install LCUs normally *except* for boot-critical components? Or fail to take LCUs altogether? Will this be messaged to users/admins somehow (Defender perhaps)? Will this prevent milestone updates (i.e. prevent 25H2 -> 26H2)? – answered at 57:36.

"Autopatch is coming soon" - how is stuff coming soon?? It's mid March! I would expect this to be ready for customers 6 months ago! 

If we don't get all the devices up-to-date before June, will it be possible to get them up-to-date later, or will they be stuck on old Boot Certs.

I respect that you are picking and choosing which questions to answer, but before you shut down, could you answer some of the vSphere-related questions? Inquiring minds want to know :-)

On the hyperv question, both the host and the guests were updated with the march CU's, so it resolved the errors with it being read only, but I did not expect it to reboot the computer 4 times in 30 minutes to get the job done, other client testing only one or two reboots were needed, and it was not happening automatically ever 3 or 4 minutes in a row on the device. Also still not seeing an answer for the Capable = 2 versus capable = 0 even though they show updated status otherwise.

Been very disappointed by the new Secure Boot reports in Intune. Months late to the party, and you cannot filter or search on the "Certificate Status" field. And many devices show as 'unknown'. 

Can you please clarify what does 'Not applicable' means for the certificate status in the Intune report - Reports>Windows quality updates>Reports>Secure Boot Status>Certificate status and if any action is needed for these?

Using PowerShell, this is how we're detecting if the devices have updated their Secure Boot certificates. Is this valid code? Is there better code we should be using?

# Detect if 2023 KEK certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

# Detect if 2023 DB (Windows) certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

# Detect if 2023 DB (Third Party) certificates are installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'

# Detect if boot files are signed by 2023 certificate

$efiPartition = Get-Partition | Where-Object {$_.GptType -eq "{C12A7328-F81F-11D2-BA4B-00A0C93EC93B}"}

Add-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

$efiBootmgfw = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$efiBootmgfw.Import("S:\EFI\Microsoft\Boot\bootmgfw.efi", $null, 'DefaultKeySet')

($efiBootmgfw | ? {$_.Subject -eq 'CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US'}) -ne $null

Remove-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

If my device doesn't have UEFICA2023 cert and can no longer PXE, what would be the process to update that machine if the device is not bootable.