Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
SCCM_Terror's avatar
SCCM_Terror
Copper Contributor
Mar 12, 2026

I noticed that some of my clients (around 5% so far) updated only two of three Secure Boot Certificates. 
Intune Remediation script shows the following output: Microsoft UEFI CA 2023 = False, Microsoft Corporation UEFI CA 2011 = True.

Two other certificates are showing "2023" data string.

Is it expected that not all the certificates are updated at the same time?

  • Pearl-Angeles's avatar
    Pearl-Angeles
    Icon for Community Manager rankCommunity Manager
    Mar 12, 2026

    For reference, this question was answered at 35:24 during the live AMA. 

  • SCCM_Terror's avatar
    SCCM_Terror
    Copper Contributor
    Mar 12, 2026

    Thanks for the answer. The script returns the following output for the other two certificates:

    Windows UEFI CA 2023 = True

    Microsoft Corporation KEK 2K CA 2023 = True