Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
miro2022's avatar
miro2022
Copper Contributor
Feb 05, 2026

Is updating BIOS / UEFI a prerequisite before updating the certificates?

Is there a list of “High Confidence” devices Microsoft can provide?

Outside Intune, what does Microsoft suggest as the most reliable method?

What about the WinCS / AvailableUpdates=5944) vs Option 2 (Managed Opt-in)?

Telemetry / Events – how do we monitor success?

BitLocker – do we need to suspend it?  

Teams room devices are impacted ? 

  • mihi's avatar
    mihi
    Copper Contributor
    Feb 08, 2026

    About the "High Confidence" devices: You can have a look at BucketConfidenceData.json inside C:\Windows\System32\SecureBootUpdates\BucketConfidenceData.cab which will contains a list of model bucket hashes grouped by OEM name. As these are hashes, you cannot deduce the model names from them (and probably even Microsoft cannot if they only keep the hashes in their telemetry data). Also, as of January 2026 update, there are almost a million hashes in there.

    Here is a list grouped by vendor (as you see, some vendors are unsure how to write themselves):

    • Generic OEM (877734 models)
    • Acer (10690 models)
    • ASUS (2017 models)
    • ASUSTeK COMPUTER INC. (1385 models)
    • ASUSTeK Computer Inc. (18 models)
    • ASUSTeK Computer INC. (1 model)
    • Dell (5 models)
    • Dell Inc. (411 models)
    • Dynabook Inc. (565 models)
    • Hewlett-Packard (5 models)
    • HONOR (95 models)
    • HP (1001 models)
    • LENOVO (50008 models)
    • LG Electronics (2668 models)
    • LG Electronics Inc. (2 models)
    • Micro-Star International Co., Ltd (229 models)
    • Micro-Star International Co., Ltd. (5605 models)
    • Microsoft (3 models)
    • Microsoft Corporation (35 models)
    • MSI (129 models)
    • Panasonic Connect Co., Ltd. (7 models)
    • Panasonic Corporation (22 models)
    • SAMSUNG ELECTRONICS CO., LTD. (4081 models)
    • TOSHIBA (326 models)
    • Toshiba (8 models)

    As nobody knows which vendor don't give themselves a name in the data sourced by Microsoft, you cannot even tell if your vendor is included ☹️

    • TobiA's avatar
      TobiA
      Brass Contributor
      Feb 08, 2026

      I assume the hashes are generated on the devices before sending the telemetry, so it should be easy to get the hash of given a device locally and compare it to the list, to know if its part of "High Confidence" or not. Using that as Intune proactive remediation would give us an overview, which device to take care of ourselves (the ones not in HighConfidence Bucket), and to proove the HighConfidence devices got updated, as expected.

  • Pearl-Angeles's avatar
    Pearl-Angeles
    Icon for Community Manager rankCommunity Manager
    Feb 06, 2026

    Thanks for your participation! Panelists covered your question about Intune at 42:14 during the live AMA.