Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
Claude_Boucher_OEM's avatar
Claude_Boucher_OEM
Brass Contributor
May 18, 2026

The 0x4000 "Conditional CA 2023 application" guard bit

The AvailableUpdates registry value includes the bit 0x4000, which we understand acts as a guard bit: a given CA 2023 certificate is only injected into the Active db store if its 2011 equivalent is already present in the Default store.

Two questions on this:

  1. Is the behavior of this guard bit documented publicly anywhere? We have only been able to infer it from field observation, not from official documentation.
  2. Is this conditional mode permanent, or is it scheduled to transition to an unconditional mode at a specific date (for example, around or after the June 2026 PCA 2011 expiration)? If so, what is the timeline, and what should administrators expect in terms of behavior change on machines that have not completed the migration by then?
mihi's avatar
mihi
Brass Contributor
May 18, 2026

Is documented at 

https://support.microsoft.com/en-us/topic/secure-boot-troubleshooting-guide-5d1bf6b4-7972-455a-a421-0184f1e1ed7d#bkmk_availableupdates_bits_used_for_certificate_servicing

 

Conditional mode is permanent. The third-party certificates are not needed for running Windows, so if the old ones were not there, the new ones would only increase security posture for no good reason.

 

If, for some reason, you want to get the others too, you can manually run the job without the flag.