Thank you everyone for your participation in this Secure Boot AMA! Below are the questions the panelists answered live, along with associated timestamps: 

Question – What happens to devices after a certificate expires? – answered at 1:14.

Question – I understand these devices will continue to boot after June 2026 even with Secure Boot active. However, what happens if there are changes e.g. to bootmgfw.efi or the underlying hardware? What would be the impact? Can we let such a device live until HW dies to avoid replacement still good working HW? – answered at 2:18.

Question – If a firmware update for an older machine is released after June 2026, will it be possible to install/deploy the new certificates manually at that point? – answered at 3:53.

Question – Can you provide clarification on this? Does Microsoft currently deploy the Secure Boot 2023 certificates using a hybrid rollout model (telemetry-based CFR combined with optional policy-based control)? – answered at 5:08.

Question – At what point will policybased opt in become the primary or required mechanism for IT managed devices? – answered at 6:37.

Question – Could you talk about the device's local Secure Boot enforcement mode (Strict, Standard, Audit etc.) please? Someone in our team mentioned it today - that if devices are in Strict mode they won't boot without the new certificate? I've not seen this mentioned in the MS docs I've read. – answered at 9:10.

Question – We've been seeing devices that appear to be eligible for the automatic Secure Boot cert updates based on the documentation available via MS but don't seem to progress. Can you confirm the minimum “eligibility checklist” for the automatic Secure Boot certificate update (OS baseline, update level, UEFI + Secure Boot, diagnostic data level, etc.), and which items are hard blockers vs “recommended”? Once a device is eligible, what is the typical timeline (hours, days, weeks) to observe progress? – answered at 13:46.

Question – Can you elaborate on the differences between the active db and the default db? This seems to be a common point of confusion.  – answered at 15:44.

Question – If diagnostic data/telemetry is disabled, what specifically stops working? Does it prevent Microsoft from delivering the secure boot update altogether, or does it mainly impact reporting and insights? – answered at 17:19.

Question – what is the process to update devices with currently safeboot disabled.? – answered at 19:09.

Question – We have several physical HyperV host servers where Secure Boot is currently disabled at the Windows hypervisor level, while the guest virtual machines have Secure Boot enabled. Please confirm whether it is still necessary to update the compatible firmware on these HyperV host servers.  – answered at 21:32.

Question – Is there (or will there be) a tool or series of PowerShell commands that can be used to assess the current status of the computer and 2023 Certificate?  – answered at 22:46.

Question – Can we proceed with the firmware upgrades on the physical HyperV servers with OEM Support before Microsoft releases the fix of event ID 1795 (write protected) on March 10th? – answered at 23:48.

Question – Are there other mitigations we can take in our environment to ensure devices that cannot get the certificate are less vulnerable? – answered at 24:38.

Question – You mentioned that as long as a device doesn’t log a specific Event ID indicating it’s blocked from receiving the Secure Boot update, the update will be delivered in the coming months. Which Event ID are you referring to 1801? – answered at 26:12.

Question – I thought I heard someone say that Server OS shouldn't be expected to receive updates via CFR. Did I hear that correctly? If yes, can you elaborate?  – answered at 27:22.

Question – When stating "Microsoft will push the new certificates through Windows Update", what does that mean specifically in the secure boot pipeline? You are pushing 2023 into the DB? You are signing the Boot Manager in the EFI partition with the 2023 certificate? you are pushing 2011 into the DBX? What happens when a machine is reimaged with a factory or custom image?   – answered at 29:34.

Question – Will Microsoft force the revocation of the 2011 certs at some point? – answered at 35:34.

Question – What’s the best approach to use for dual-boot devices? Either 2 Windows instances or a Linux and Windows setup? – answered at 36:51.

Question – Is there a plan for Microsoft or OEM to only ship hardware with new 2023 certs? Assuming that when option ROM expire it will not be possible to certify new devices after this date? I.e. Dell release new laptop model in Jan 2027 will only ship with 2023 certs?  Does this mean not compatible with old 2011 bootloaders (Operating Systems) – answered at 40:04.

Question – What is happening with consumer hardware? For example, someone’s Grandma who doesn’t know what Secure Boot is but has a 5-year-old Windows 11 laptop? – answered at 41:06.

Question – Is the presence of event ID 1808 sufficient to validate the successful Secure Boot certificate renewal or should we additionally verify the certificate expiry details? – answered at 41:39.

Question – If we don’t use Intune, what does Microsoft suggest as the most reliable method? – answered at 42:14.

Question – Can you please further document actions to undertake when a system doesn't boot after enabling secure boot from the BIOS, like precising all the mandatory settings to implement for it to work and possibly bringing the host back to a secure baseline which allows it to boot with the setting enabled, this aspect isn't documented properly and or I'm missing where to look at. – answered at 44:22.

Question – For the third-party antivirus it will have any affect if the certificate doesn't update? – answered at 43:39.

Question – I'm doing test in my lab, and i have successfully completed the update of the Secure boot via RegKey, but i have noticed that the boot loader is updated with the new certificate that will expire to May 2026, this will be update automatically during the normal patching process? – answered at 46:08.

Question – Am I correct in assuming that the default db will only be updated by an OEM's BIOS update? In other words, Microsoft updates would only update the Active db, and never the default. Follow up question: What is the risk of not updating the default db when the active db is up to date?  – answered at 48:01.

Question – Is my understanding correct? If you have a common Dell, Lenovo, Surface device you 'should' be fine just to make sure the UEFI / BIOS is up to date, and then leave it for Microsoft to update the certificate on the client via CFR?  If you have some wacky bit of hardware, like custom built gaming pc, odd meetingroom system, then you might need to manually add the reg key manually to tag it as a known good system? – answered at 49:37.

Question – The newest ADMX/ADML template files contain settings to control the Secure Boot cert push/etc. is this actually needed? – answered at 52:18.

Question – When will Windows 365 gallery images contain the new secure boot certificates? – answered at 53:39.

Question – For manually installing the Secure Boot certificate update, is updating the BIOS the only way to do it? If I’m remembering correctly, the Microsoft-provided steps mainly prepare the device to receive the update from Microsoft, but don’t actually provide a way to manually install it. Can you confirm? – answered at 54:10.