Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
JamesEpp's avatar
JamesEpp
Iron Contributor
Feb 25, 2026

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

Microsoft has said in many places that they're rolling out the updates to Home and Pro systems but this doesn't explain how Windows Server systems will get these updates rolled out. Due to hardware differences between (most) uses of Windows client and (most) uses of Windows server, Windows client SKU CA/KEK update telemetry won't help inform Windows server SKU CA/KEK updates. What's the phasing plan for WS?

---

Edit: MS kinda covered this question in the February AMA at timestamp 27:22, YouTube ID EscGJTKHPdw.

Arden_White's avatar
Arden_White
Icon for Microsoft rankMicrosoft
Mar 11, 2026

Windows Server uses a different rollout model than Windows client because the telemetry signals that enable safe, phased deployment on Home and Pro SKUs do not meaningfully exist or apply in server environments. Windows Server systems commonly have limited or disabled telemetry, and client‑SKU telemetry cannot be used as a proxy to assess risk or readiness for server platforms. As a result, Secure Boot CA and KEK updates for Windows Server are not rolled out through Controlled Feature Rollout or confidence‑based phasing. Instead, Microsoft delivers the required update components through cumulative updates, and administrators explicitly initiate certificate updates on servers that need them, aligned with their own validation and maintenance processes.

  • JamesEpp's avatar
    JamesEpp
    Iron Contributor
    Mar 12, 2026

    Thanks for the response.

    Arden_White​ towards the end of today's AMA you mentioned that MSFT is hoping to release in the near future a bootable utility to update systems. I have two questions:

    1. Will this work on server platforms for updating the KEK/DB/DBX?
    2. How will customers be able to subscribe to new releases/updates of this utility (as presumably the update binaries get updated over time)?

     

    • mihi's avatar
      mihi
      Brass Contributor
      Mar 13, 2026

      The bootable tool has already been released and is likely living on your hard disk in C:\Windows\Boot\EFI\securebootrecovery.efi

      Microsoft is about to release updated documentation for this tool, probably also PowerShell scripts to install it to a USB key.

      If you know how UEFI booting works and how to build a device bootable by UEFI by hand, you can put it on a USB key manually and it works as advertised (yes, I tested it).