Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 12, 2026
AMA
Matt_Rinaldi's avatar
Matt_Rinaldi
Copper Contributor
Feb 03, 2026

Hello, I'm looking for some clarity regarding BIOS updates. It is my understanding that if we choose to leverage the REG keys (https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d) to enable updating the Secure Boot Certs via Cumulative Updates, all the required certs will be updated in the Active DB without requiring any BIOS updates. However, this process will NOT update the certs in the Default DB, only a BIOS update can update the Default DB. Is this all correct?

If the above is correct, what would occur in a scenario where the Active DB was updated but BIOS was never flashed, and 6 months after the 2011 certs expire, a device with an old BIOS version (missing 2023 certs) is reset to defaults? I assume since the Default DB was never updated, the device would revert back to the old 2011 certs. If that occurs, would this device still be able to boot/PXE?

From my searching this is the basic understanding I have; however, I'm not sure if it's accurate:

Update MechanismUpdates Active DBUpdates Default DBRequired for long‑term compliance
Cumulative Updates (AvailableUpdates opt‑in)✔ Yes✘ NoPartial – active DB only
OEM BIOS Update✔ Yes (after reset)✔ YesFull compliance & future‑proofing


Would it be fair to say ensuring the Active DB is updated before June 2026 is most important, and the Default DB is more of a secondary concern? Essentially I'm just trying to understand the best order of operations here regarding leveraging Cumulative Updates vs BIOS updates to handle this process.

  • mihi's avatar
    mihi
    Copper Contributor
    Feb 03, 2026

    As the new bootloader on disk will be signed with 2023 certs, it will deny the boot with a Secure Boot violation. But you can boot external media from "C:\Windows\Boot\EFI\SecureBootRecovery.efi" which will add back (just) the 2023 Windows CA certificate to DB, so that the system can boot again and fix up the rest. In this process, PCR7 sealing of TPM will cause a mismatch (if not already the resetting of the UEFI did so), so if you use Bitlocker sealed against PCR7, you'd also need the Recovery Key. Afterwards, the booted system will restore the rest of the KEK/DB/DBX certificates.

    Booting from PXE would also require to boot from a different image (signed with the old keys) and chainloading securebootrecovery.efi.