Event details
MicrosoftWindows Server uses a different rollout model than Windows client because the telemetry signals that enable safe, phased deployment on Home and Pro SKUs do not meaningfully exist or apply in server environments. Windows Server systems commonly have limited or disabled telemetry, and client‑SKU telemetry cannot be used as a proxy to assess risk or readiness for server platforms. As a result, Secure Boot CA and KEK updates for Windows Server are not rolled out through Controlled Feature Rollout or confidence‑based phasing. Instead, Microsoft delivers the required update components through cumulative updates, and administrators explicitly initiate certificate updates on servers that need them, aligned with their own validation and maintenance processes.
Thanks for the response.
Arden_White towards the end of today's AMA you mentioned that MSFT is hoping to release in the near future a bootable utility to update systems. I have two questions:
- Will this work on server platforms for updating the KEK/DB/DBX?
- How will customers be able to subscribe to new releases/updates of this utility (as presumably the update binaries get updated over time)?
The bootable tool has already been released and is likely living on your hard disk in C:\Windows\Boot\EFI\securebootrecovery.efi
Microsoft is about to release updated documentation for this tool, probably also PowerShell scripts to install it to a USB key.
If you know how UEFI booting works and how to build a device bootable by UEFI by hand, you can put it on a USB key manually and it works as advertised (yes, I tested it).
