Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
DJ8014A's avatar
DJ8014A
Copper Contributor
Mar 17, 2026

Arden_White​ mihi​ - I have a more general question as well. If machines are not able to update to the new certificates at all, how will this affect the installation of future Windows feature updates?

On all of my machines (both the Dell machines that seem to be able to get the partial 2023 cert updates and the HP z840 that seem to not be able to get anything related to the 2023 certs), I've been able to upgrade to the latest feature updates using the AllowUpgradesWithUnsupportedTPMOrCPU registry hack. Is there any reason to believe, based on current knowledge, that future feature upgrades might be blocked on these machines as a result of the 2011 cert expiration?

  • Eric_Bl's avatar
    Eric_Bl
    Copper Contributor
    Mar 24, 2026

    I had exactly the same thought. Current answers below are not completely clear on the long term.

    Scott and Richard added some contributions in a related question in the video:

    https://www.youtube.com/live/ixq4RP33Am4?si=ccMm0X82PHChs40J&t=2303

    From my understanding, it seems quite likely that a future Windows 12 or what ever coming next will REQUIRE Secure boot with the Boot manager signed with the 2023 certs only.

    This would mean some older machines what were NOT able to update the certs will NOT be able to install such future version of Windows.
    Is that correct?

    It could be seen as another way from Microsoft to get rid of older machines.

    But for simple people just ok with their current old machines and not willing to buy anything newer e.g. for environmental concerns, it means the end of a supported version of Windows in their machine. Sure, it will happen some times, sooner or later. 
    But Microsoft could help those people to stay on their older machines if they could sell them more years of ESU (after oct'26, ESU is said to be for business only, NOT for consumers) or even better to make the LTSC editions of Windows 11 (as the 24h2) officially available for those people!

    • Arden_White's avatar
      Arden_White
      Icon for Microsoft rankMicrosoft
      Mar 24, 2026

      A few clarifications that may help.

      The goal here is to keep all supported devices updated with the newer Secure Boot certificates so they can continue to receive boot‑level security updates over time. In most cases this happens automatically. The determining factor is firmware capability, not device age. Older devices, including devices that are no longer in OEM support, can successfully update the certificates as long as their firmware implementation is able to accept them. The main limitation arises when a device’s firmware has an implementation issue that prevents the certificates from being updated, and there is no firmware update available to address it.

      If a device can’t install the 2023 Secure Boot certificates, that does not by itself block current Windows feature updates. Those systems will continue to boot and can continue to receive standard Windows updates. What they won’t receive going forward are new boot‑chain security updates, such as Boot Manager updates or dbx revocations, once the 2011 certificates expire.

      For future, unreleased versions of Windows, Microsoft hasn’t published specific requirements. That said, devices that can’t update their Secure Boot trust should expect increasing security and compatibility limitations over time as newer operating systems, firmware, and Secure Boot‑dependent protections assume an updated trust foundation.

      This work isn’t about forcing device turnover. It’s about making sure systems that are capable of doing so can continue to receive critical boot‑level security updates and stay protected as the threat landscape evolves.

      Arden – Microsoft

      • Eric_Bl's avatar
        Eric_Bl
        Copper Contributor
        Mar 25, 2026
        Arden_White wrote:

        The determining factor is firmware capability, not device age. The main limitation arises when a device’s firmware has an implementation issue that prevents the certificates from being updated, and there is no firmware update available to address it.

        back on the technical side: is there any plan in the update process to better care of those cases with "implementation issue that prevents the certificates from being updated".

        As I wrote already 2 months ago in this previous comment, some machines are exactly there, and are just completely freezing when running the task 
        Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

        You already answered there (thanks!), the consequences are understood.
        Today's question is just: Is there any way to prevent the machine to freeze while running the task?

        I just tried again the "Device testing using registry keys" from https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d but just surprised to see the current value of 

        Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\

        AvailableUpdates to be 0x5946 (while only 0x5944 is documented)

        What does the 5946 means?
        Anyway, either with value 5946 or 5944, my system still hangs / freezes on the task above.
        So I leave the scheduled task disabled.

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 17, 2026

    I'd say it is likely that some of these unsupported upgrade scenarios will prevent you to install a future Windows update, but I believe it is unlikely that this will happen based on whether your Secure Boot certificates are current or not.