Event details
I have several questions regarding devices that lack supported firmware (End-of-Life hardware or devices where the firmware hasn't been updated) and therefore do not have the Windows UEFI CA 2023 certificate integrated.
Q1: I understand these devices will continue to boot after June 2026 even with Secure Boot active. However, what happens if there are changes e.g. to bootmgfw.efi or the underlying hardware? What would be the impact? Can we let such a device live until HW dies to avoid replacemet still good working HW?
Q2: When does Microsoft plan to add the original 2011 certificate to the revocation list (DBX)? If/when this happens, what will the consequences be for these legacy devices?
Q3: If a firmware update for an older machine is released after June 2026, will it be possible to install/deploy the new certificate manually at that point?
Q4: Can we expect to see a Secure Boot certificate status report integrated into the Microsoft Defender for Endpoint console?
- Pearl-Angeles
Community Manager
Prabhakar_MSFTMicrosoft
Q1 - Yes. Devices will continue to boot after June 2026 even with Secure Boot active. Without the updated certificate Security updates to Windows boot manager and Secure Boot (Updates to Secure Boot disallowed database) cannot be applied to the device and features that rely on boot security updates such as BitLocker, features relying on Virtualization Based Security.
Q2 - There is no immediate plan to automatically apply 2011 certificate revocation to prevent impact to external boot sources such as network boot (PXE), External boot media. Enterprises can plan the 2011 certificate revocation once all boot sources have been updated.
Q3 - Yes. The devices can continue to update certificates to firmware even after June 2026.
Q4 - Customers who have enrolled to Windows Autopatch, can make use of Autopatch Secure Boot reporting to know the status. For more details on AutoPatch reporting, refer to Secure Boot status report in Windows Autopatch | Microsoft Learn
