Event details
Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!
How do I participate?
Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast
Get started with these helpful resources
116 Comments
- Bhanu2027Copper Contributor
Windows Server 2019 VM: DB entries (Windows & Microsoft UEFI CA 2023) updated successfully, but KEK still shows Microsoft KEK CA 2011. In VM (ESXi), should KEK be updated at hypervisor/firmware level or from inside Windows OS?
Could you please clarify ?- IvanCardim
Microsoft
To ensure newly created VMs have the new certificates it needs to be updated at the hypervisor level.
For existing VMs you need to update from inside the Windows OS.
- Dan HTin Contributor
I noticed that on some devices, if I am receiving FALSE when running "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023', that if I download the UEFIv2 powershell module and run Get-UEFISecureBootCerts that then I can see the 2023 certs. I assume that the firmware on most of those devices should switch the certificate, and 90% chance that those devices need no action even though the default query does not show those certificates?
- BryanOCopper Contributor
What is the 'source of truth' logic to confirm update is final? UEFICA2023Status = Updated AND WindowsUEFICA2023Capable = 2, Or can one be that value or another not? Or is there whole other value somewhere we should be checking?
Will machines fail to boot entirely or enter weakened security posture if updates are not applied? What will end users experience if the whole process isn't completed in time for the expiration? Errors/warnings?
What is the procedure for Hyper-V VMs? Do they have different indicators than physical machines or is the process similar?
- mihiIron Contributor
- Only check for UEFICA2023Status. Don't look at the old WindowsUEFICA2023Capable key.
- Machines will continue to boot, you won't receive any more bootloader revocations after June. In case the machine is not managed (or GPO allows), Security Center will show a red warning that can be dismissed forever.
- Hyper-V VMs (Gen2) just behave like physical machines. Updating certificates is independent from updating the certificates on the host.
- Dan HTin Contributor
Microsoft Secureboot FAQs mention that secureboot devices that do not get updated, should continue to start and run normally after June 25th, 2026, but do you guys have any ideas if the UEFI in some servers will start prompting for certificate expiration, etc. after reboots? I am not sure if that UEFI behavior is known, but it would cause us issues.
- mihiIron Contributor
There is no such thing to be expected. Some vendor software running within Windows may of course warn about it (like they do for not applied cumulative updates), but the UEFI itself is not expected to alter the boot process in any way (this includes requiring more or fewer F1 keystrokes) after the certificates expired.
But as said in the AMA, if you have any fears, test it. Take a test machine that you can reboot and mess with, adjust the hardware clock, and see whether it still boots as before. I would bet it does.
- KevHal2120Copper Contributor
AVD Session Hosts in Azure, have done all the relevant registry settings and UEFICA2023Status is in progress. WindowsUEFICA2023Capable is 2.
UEFICA2023Error = 0x80070005 (Access Denied)
Does not complete fully, AvailableUpdates is 4004, states KEKLastUpdateErrorReason:Firmware_Unknown. It is doing this for quite a few clients. Is there further steps to follow? ConfidenceLevel is still Under Observation. We have set ManagedOptIn to 1. Been set for the last couple of months.
- UserA1Occasional Reader
Will Microsoft Surface Go 2 devices be getting firmware and 2023 certificates updates?
- ZaheerAITin Contributor
I think Microsoft should have held some joint sessions with HP, Dell and Lenovo for example so enterprises could ask questions from the hardware manufacturer side also.
- ZaheerAITin Contributor
We have Microsoft cloud pcs and over 100 of those are still showing as in progress and they have been rebooted several times and have the April CU patch already installed.
What troubleshooting steps do we need to take to look at these in the event log ?
We are also seeing cloud pcs as unknown as if no information is being sent Microsoft - LukeWeightmanCopper Contributor
Hi,
We have updated most of our laptop devices using the remediation scripts and the following status is now being returned:
Secure Boot Windows UEFI CA 2023 exist in DB
SecureBootEnabled=Enabled
SecureBootPK=Dell Inc. Platform Key
SecureBootKEK=Dell Inc. Key Exchange Key; Microsoft Corporation KEK CA 2011; Microsoft Corporation KEK 2K CA 2023
SecureBootDB=Dell Bios DB Key; Dell Bios FW Aux Authority 2018; Microsoft Windows Production PCA 2011; Windows UEFI CA 2023
SecureBootDBHas2023=True
FirmwareType=UEFI
TPMPresent=True
TPMEnabled=True
HWMake=Dell Inc.
HWModel=Latitude 5450
OSJulySecureBootPatch=True
Reg:UEFICA2023Status=Updated
Reg:WindowsUEFICA2023Capable=0x2
Reg:UEFICA2023Error=
Reg:UEFICA2023ErrorEvent=
Reg:AvailableUpdates=0x4000
Can you confirm whether this is the correct expected outcome for the certificate updates?
The issue we still have relates to our AVD machines.
We have Azure Virtual Desktop session hosts showing as non-compliant for the Secure Boot 2023 certificate update. The machines are Gen 2 VMs with Secure Boot disabled, no TPM, running on Hyper-V UEFI.
They currently show:
UEFICA2023Status=InProgress
WindowsUEFICA2023Capable=0x0
Error code: 2147946825 (0x704)
Our question is:
For AVD hosts where Secure Boot is disabled and there is no TPM (i.e. not using Trusted Launch), do we actually need to take any action before June 2026, or are these machines effectively out of scope for this update?
If action is required, what steps would be needed?
Kind regards,
Luke
- SimoneTacTin Contributor
As indicated by our OEM, we're updating firmware on all devices that have an older version not including 2023 certs, before to assign the Intune Secure Boot CSP.
But the firmware update process is complex, long and it can't be done by June 2026.
from different sources, it's suggested to DO NOT proceed adding to CSP configuration devices with older firmware, without 2023 Certs. Is this true?
Also, the majority of devices, even with updated firmware, are still in the "Under observation" confidence level bucket. We haven't seen it changing with latest CUs. Since this is May CU, we can expect that confidence levels will continue to be updated during the rest of the year, even after June ?
In general, what are the guideline before June ? Use the Intune CSP only on devices with updated firmware - or add as much devices as possible and trust the Confidence Level check?