Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
kumarshai88hotmailco's avatar
kumarshai88hotmailco
Copper Contributor
Feb 05, 2026

 

  1. Can we proceed with the firmware upgrades on the physical Hyper‑V servers with OEM Support before Microsoft releases the fix on March 10th?
  2. Do we need to wait for the automatic renewal process to begin, or should we initiate the manual renewal using the required registry key? As we have tough Deadline towards June,2026.
  3. We have several physical Hyper‑V host servers where Secure Boot is currently disabled at the Windows hypervisor level, while the guest virtual machines have Secure Boot enabled. Please confirm whether it is still necessary to update the compatible firmware on these Hyper‑V host servers.
  4. Is the presence of Event ID 1808 sufficient to validate the successful Secure Boot certificate renewal, or should we additionally verify the certificate expiry details?
  5. What is the expected downtime, how many reboot requires during the Secure Boot certificate renewal process, and how can we effectively manage this within the controlled patching window? Additionally, if we perform one reboot as part of the current monthly patching cycle and defer the second reboot to the next month’s patch schedule, would this cause any performance issues or operational risks on the affected servers?
  6. Is there any potential impact on installed applications following the renewal of Secure Boot certificates? Is there any rollback plan in case of any issues?
  7. When we will have Secure Boot certificate renew status reports in SCCM ?
  • Pearl-Angeles's avatar
    Pearl-Angeles
    Icon for Community Manager rankCommunity Manager
    Feb 06, 2026

    Thanks for your questions! Panelists covered question #3 at around 21:32 and question #4 at 41:39 during the live AMA. 

  • mihi's avatar
    mihi
    Copper Contributor
    Feb 05, 2026

    5. No extra reboots stricly required. When your device is eligible, the new certificates can be installed without a reboot. The switch to the new bootloaders will be deferred to after the next reboot to be sure that the new certificates work and are sticking.

    6. If you have any "applications" that store key material in TPM and protect with PCR7, they might be unable to retrieve their keys and go through a recovery process. But that would be mostly third-party full disk encryption software, and which enterprise still uses them when they can get Bitlocker for free with Windows 10/11 Pro?