Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
Id_Jamie's avatar
Id_Jamie
Copper Contributor
Feb 05, 2026

I have seen a few devices where everything is ticked after updates got applied , in detection script but only red X is the Default UEFI DB has "Microsoft Option ROM UEFI CA 2023" not ticked do I have issue ? Seeing same on VM ESX 8 with nvram renamed. but everything else green on default and KEK got updated correctly as well.

mihi's avatar
mihi
Copper Contributor
Feb 05, 2026

Did the machine have the old 2011 equivalent of the option rom certificate? If not, it won't get the new one.

Also for a VM you won't need the Option ROM CA, and default db is not updated by the updates at all anyway (only by UEFI vendor).