Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 12, 2026
AMA
ChromeShavings's avatar
ChromeShavings
Copper Contributor
Jan 19, 2026

From my understanding, the AvailableUpdates (0x5944) reg key needs to be applied and then a manual fire-off of the scheduled task needs to happen afterward. Once I did this, in this order, the status of UEFICA2023Status went from “NotStarted” to “InProgress”. It took me about 2-3 reboots for changes to take effect. 

Questions I hope to have answered are below:

  1. Are all 3 certificates (2 DB and 1 KEK) required to rotate in? How many certificates do we need to check for to meet compliance? Some are checking for just one, some are checking for 3… which is it? 
  2. If one certificate is missing in either the DB or KEK databases, is a firmware upgrade of the BIOS required?
  3. According to the documentation, there is an option for “Controlled Feature Rollout” using Microsoft Update Managed certificates (MicrosoftManagedUpdateOptIn). Not too concerned about the level of telemetry that is pulled; however, just curious if this is something that customers can turn on to quickly retrieve these certs. Or if it’s necessary for future cert rotations.
  4. And! What happens if a computer doesn’t have Secure Boot enabled? Or if Secure Boot is enabled, what happens to that device if not compliant by June of 2026?
Prabhakar_MSFT's avatar
Prabhakar_MSFT
Icon for Microsoft rankMicrosoft
Feb 05, 2026

Setting 0x5944 does not require manual intervention to trigger the update.  The Secure Boot Update schedule task is configured to execute 5 mins after the boot and then once every 12 hours.  Task will automatically apply the certificates if task detects the setting in the next execution.   The task can also be triggered manually to allow immediate application of the certificates.

Below are answers to your questions:

1) There is total 4 Certificates (3 in DB and 1 in KEK).  Devices in Secured Core configuration that does not trust Microsoft UEFI CA 2011, only require 2 certificates (Microsoft Corporation KEK 2K CA 2023 and Windows UEFI CA 2023).  Setting 0x5944 will ensure applicable certificates are deployed based on device configuration.

2) Some devices may have issues applying the certificates.  It is recommended to apply latest available firmware updates from device manufacturer and then retry the certificate updates.

3) MicrosoftManagedUpdateOptIn enables Microsoft to leverage CFR (Controlled Feature Rollout) mechanism to safely rollout the certificate updates in the environment.  This requires enterprises turning on Required diagnostic data.  For more details on how to enroll to this setting, refer to https://aka.ms/getsecureboot 

4) Secure Boot not enabled devices are not in scope for certificate updates.  Devices will continue to receive the applicable security updates.  We recommend enabling Secure Boot if device is capable to ensure devices get all Boot Security Integrity features.