Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
saranrajappa's avatar
saranrajappa
Copper Contributor
Feb 05, 2026

2. When the CSP deployed, we see CSP sets policy as

"AvailableUpdatesPolicy=0x00005944(22852)". Will this move 2011 certificate to DBX? and when it will move? Will there be time for enterprise admin to know this and take actions on iPXE and Bootable Media?

 

3. The "secure boot status" report in Intune has a column "certificate status". What goes behind the scenes to say, "Up to date"? "Up to date" means certificate in UEFI?

Or Certificate in UEFI and booting from the 2023-signed boot manager?

mihi's avatar
mihi
Copper Contributor
Feb 05, 2026

DBX update flag is 0x80, so it is not included in 0x5944. You would need to set to 0x59C4 to push it alongside, or individually set to 0x80 after the other updates have been applied and the value returned to 0x4000/0x0.