Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
wroot's avatar
wroot
Silver Contributor
May 18, 2026

I have only delved into this briefly, but from what i have read it seems that for devices using BIOS boot updates will not be pushed. What about devices using UEFI without Secure Boot? Also, in the case of BIOS boot, could it be that a patch for boot components is released in the future and it would require new certificates/signature to be able to install and a system would be marked vulnerable without such patch? My guess, that it probably would not be vulnerable as Secure Boot is not being used, but often scanning tools do not look into nuances of whether it is actually applicable and just use signature/registry/file version check and mark everything as vulnerable. Trying to anticipate all possible scenarios.

  • mihi's avatar
    mihi
    Brass Contributor
    May 18, 2026

    If Secure Boot is disabled as well as in legacy Boot environments:

    • Microsoft will install the new boot manager regardless of installed certificates. So you will automatically get the latest updates for the Boot manager regardless of certificate status (if applicable)
    • There is no way to prevent vulnerable boot managers from booting. So, you won't get the protections regardless of certificate status (if applicable).

    To sum it up, there is no difference in security impact on such machines whether new certificates have been applied (if applicable) or not.