Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
Philippe_Ngo's avatar
Philippe_Ngo
Icon for Microsoft rankMicrosoft
Feb 05, 2026

customer reported question : experiencing difficulties to apply secureboot certificate updates 

From a Microsoft security perspective, what is the less worst risk exposition to secureboot exploit between all these below configurations


1.  A system with Secure Boot enabled :
  a.  Expired certificates in DB, and KEK (2011) and boot manager signed by 2011 certificate (nothing is uptodate)
  b.  2023 certificate are in DB, boot manager signed by 2023 certificate but only KEK 2011 certificate version (Update procedure fails to update kek)  (partial update)
2.            A system running UEFI but Secure Boot disabled
3.            A system running in Legacy BIOS (non-UEFI) mode

Is a system in scenario (1a and 1b) considered more exposed, less exposed, or equivalent in risk compared to scenarios (2) and (3)?

  • mihi's avatar
    mihi
    Copper Contributor
    Feb 05, 2026

    1B is best, 1A slightly worse (bugfixes in Boot Manager not present), 2 and 3 are equally insecure.

    You could also reach 1C by revoking 2011 DB certificate and applying SVN update to the 1B configuration, which would give another boost against BlackLotus & co.