Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
Claude_Boucher_OEM's avatar
Claude_Boucher_OEM
Brass Contributor
May 18, 2026

Dear MS team,
Could you please give us the schedule for the nexts steps ... after 0x5944.
Thx

  • ZaheerAI's avatar
    ZaheerAI
    Copper Contributor
    May 18, 2026

    Next step would be a restart sometimes can take 2 reboots

  • ERottier8472's avatar
    ERottier8472
    Brass Contributor
    May 18, 2026

    See:

    https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

    • iokdeda's avatar
      iokdeda
      Occasional Reader
      May 18, 2026

      I wasn't aware of this KB, and it seriously concerns me. It says that sooner or later (during 2026) the "Windows Production PCA 2011" certificate will be added to the dbx, which, if I'm not mistaken, is the one used to sign the current bootloaders for various versions of Windows.

      Up until now, I was comfortable and thought I could delay any action, especially in VMware environments where we have the null PK problem. Instead, both the KEK and DB, as well as the bootloader, need to be updated soon. Or am I wrong?

      • ERottier8472's avatar
        ERottier8472
        Brass Contributor
        May 18, 2026

        Since the new certificate is from 2023 and it's now 2026, I would've thought this would be done already indeed. I wouldn't know why it should be delayed at all. It feels unsecure by design rn.