Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
Eric_Bl's avatar
Eric_Bl
Copper Contributor
Feb 06, 2026

Thanks to all participants of yesterday's panel for the explanations.
There were a lot of questions regarding the tools and possible scenarios.
For a better understanding, I/we are however still missing what is REALLY going on with the certificate updates

As said in the video, whatever tool used for the update of the 2023's certificates, it is pointing to same registry keys. From my understanding, those keys are defining the status of the update.
Scott clearly mentioned in the video that the OS can only modify the "active" certificates, while the "default" certificates in the firmware can only be updated by a firmware update provided by the mainboard's manufacturer. During the update from Windows,
What is exactly done on the EFI partition on the hard drive? Which files get modified?
What is written to the UEFI firmware ? Should be the KEK and DB, but what if the firmware is partially "readonly" (e.g. not allowing KEK update)  ?

Maybe, Scott Shell, could you elaborate a bit? Or better, link an article with the deeper technical details? Most of the technical details are already in the playbook and https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f but without the deeper detail on the EFI.

Above all tools, knowing what is modified could help advanced people to troubleshoot.

I am especially thinking of all older PC than can NOT have a firmware update and will face the possible mismatch of "half" update (one side with 2011 certificate, other with 2023). Those were partially mentioned during the video.
I am very aware that most of the discussion is related to professional users with supported computers. And that owner of older unsupported PC "may want to renew their machine".
However, plenty of older PC can still be used for other purpose, either on Win10 ESU, Windows LTSC, Linux or whatever OS. So it would be very helpful to be able to know what is going on before throwing those PC in the garbage.

Eventually, for older unsupported computers with possible certificate mismatches, what about disabling SecureBoot completely? Isn't is a better recommendation?