When will Microsoft release an Windows 11 ISO with the updated Certs in them by default? Is this something we should be concerned about? Is this something Org's should open up the ISO and add in the certs manually? 

Also, when should we start to see the boot manager using the new Certs?

Post-expiration behavior for 3rd Party / Option ROM CAs

When the Microsoft Windows Production PCA 2011 expires in June 2026, the migration path to "Windows UEFI CA 2023" is well documented for the boot manager. However, the situation is much less clear for the "Microsoft Corporation UEFI CA 2011" (3rd Party UEFI CA) and its Option ROM counterpart.

On many Secured-Core systems, the "Allow Microsoft 3rd Party UEFI CA" BIOS setting is disabled by default, so the 2011 3rd Party CA is absent from the Default db store and Windows Update never injects its 2023 equivalent ("Microsoft UEFI CA 2023").

What is the supported remediation for customers who reach June 2026 with the 3rd Party CA never migrated — for example fleets running Linux dual-boot, third-party Option ROM hardware (RAID, GPU, NICs), or pre-OS tools signed by the 3rd Party CA? Is there an official guidance document specific to the 3rd Party / Option ROM CA migration, equivalent to what exists for the Windows boot manager?

Can you explain what Not Applicable , Unknown mean. I see these  on secure boot status report... 

What do I need to do for physical servers, VMware VM's, AWS EC2's ? Is it all the same set of hoops to jump through or are there specific things needed dependant on environment?

What can you do, if the clients are in the "InProgress" State in the SecBootCert Info?

MS usually pushes firmware updates via windows updates. why not in this scenario?

How to achieve "UEFICA2023Status=Updated" for OS (re)deployment/re-image scenarios? I've tested on a device with latest firmware, all 2023 certs are reflected in active/default secure boot DBs but boot manager is still PCA2011 signed and registry reflects 0x0/NotStarted. Same with OS media updated per 5053484 (Updating Windows bootable media to use the PCA2023 signed boot manager).

Can I ask when in June I need to update by? There doesn't seem to be a specified date. Thanks

So if the DB shows the following (Dell machines in our enviroment) - 

SecureBootDB=Dell Bios DB Key; Dell Bios FW Aux Authority 2018; Microsoft Windows Production PCA 2011; Windows UEFI CA 2023

SecureBootKEK=Dell Inc. Key Exchange Key; Microsoft Corporation KEK CA 2011; Microsoft Corporation KEK 2K CA 2023

Does that mean its successful and we don't need to do anything more? 

Just a couple of questions: 

On the question on AVD machines, we have hosts showing as non-compliant for the Secure Boot 2023 certificate update. The machines are Gen 2 VMs with Secure Boot disabled, no TPM, running on Hyper-V UEFI.

For AVD hosts where Secure Boot is disabled and there is no TPM (i.e. not using Trusted Launch), do we actually need to take any action before June 2026, or are these machines effectively out of scope for this update?

Thanks!