Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
davidallen's avatar
davidallen
Brass Contributor
Mar 10, 2026

If we're doing baremetal OS deployment using ConfigMgr or other solutions, what needs to be done so newly imaged workstations immediately contain the new secure boot certificates? I'm using the Windows 11 25H2 Enterprise image from the Microsoft VLSC updated with the 2026-02 updates (KB5077181) and no other modifications. I'm imaging a Dell system running the latest BIOS version. After imaging, I still get event ID 1801 indicating "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware."

Chewychewytoo's avatar
Chewychewytoo
Copper Contributor
Mar 10, 2026

The certs are updated the same way, you can either force it with the registry, or GPO, or a scripted solution from Intune or ConfigMgr etc and reboot the computer. The certs need to be installed into the TPM/Firmware, not in the OS. See the guide here for more info Secure Boot playbook for certificates expiring in 2026.