Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
SebastianKIT's avatar
SebastianKIT
Occasional Reader
Mar 12, 2026

My current status regarding dbx is that the old certificates must be moved there so that the SecureBoot certificate update can be completed successfully (managed IT environment with Windows 11 Enterprise licenses). Will there also be instructions or a PowerShell script that performs or explains this process?

Thank you for your time.

  • Jason_Sandys's avatar
    Jason_Sandys
    Icon for Microsoft rankMicrosoft
    Mar 12, 2026

    Hi SebastianKIT​,

    DBX is for explicit revocations in case of compromise or similar. That is not the case here and is part of this process. Adding the old certs to DBX would cause all current boot critical components to become untrusted making the system unbootable. We would need to update every boot critical component to re-sign it on all in market OS versions which would be an even greater logistic nightmare and would add not true value. Ultimately, both certs of certs will remain trusted and there isn't an explicit reason to ever change this (unless a cert is compromised as noted).