Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
ClientAdmin's avatar
ClientAdmin
Brass Contributor
Mar 12, 2026

Currently there's only a GPO (ADMX) to do the update of the certificates. Are you also working on a GPO (ADMX) for the "revocation" (dbx) of the 2011 certificates?

Jason_Sandys's avatar
Jason_Sandys
Icon for Microsoft rankMicrosoft
Mar 12, 2026

Hi ClientAdmin​,

Not at this time no as we have no plans on adding these certs to DBX since they are needed to validate existing boot critical components signed by these certs. Adding these certs to DBX now would completely break Windows unless we intended to update and re-sign all boot critical components with the new certs but we have no plans on doing this since there is no value in doing this.

  • Jason_Sandys's avatar
    Jason_Sandys
    Icon for Microsoft rankMicrosoft
    Mar 13, 2026

    Quick follow-up caveat here: revoking the PCA cert (by adding it to DBX) is something we are recommending in the long run. This is the cert used to sign the boot loader (and only the boot loader) as there is an attack vector here as was exploited some past attack(s). To be clear, this is only for the PCA cert and does not materially change my answer above.