Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
BryanO's avatar
BryanO
Copper Contributor
May 18, 2026

What is the 'source of truth' logic to confirm update is final? UEFICA2023Status = Updated AND WindowsUEFICA2023Capable = 2, Or can one be that value or another not? Or is there whole other value somewhere we should be checking? 

Will machines fail to boot entirely or enter weakened security posture if updates are not applied? What will end users experience if the whole process isn't completed in time for the expiration?  Errors/warnings?

 

What is the procedure for Hyper-V VMs? Do they have different indicators than physical machines or is the process similar?

 

mihi's avatar
mihi
Brass Contributor
May 18, 2026
  • Only check for UEFICA2023Status. Don't look at the old WindowsUEFICA2023Capable key.
  • Machines will continue to boot, you won't receive any more bootloader revocations after June. In case the machine is not managed (or GPO allows), Security Center will show a red warning that can be dismissed forever.
  • Hyper-V VMs (Gen2) just behave like physical machines. Updating certificates is independent from updating the certificates on the host.