Event details
274 Comments
If an organisation didn't meet the deadline or for example had some devices that didn't power up for a while. What is actually going to happen. It seems a very confusion scenario. I am also seeing ADKs and other ISOs still provided by Microsoft that have not been updated. Rufus is pretty keen to tell you that its not going to keep working.
Systems will still boot and apply the updates when they get powered up next time.
Also, there are no plans (outside of corporate environments that decide themselves to do so) to revoke old 2011 signed bootloaders soon, so your Rufus stick will still work except on those environments, or if you purchase a brand-new device that does not come with 2011 certificates any longer.
what happens if I deploy the updated certificates to a device that does not meet the minimum firmware version?
- Ashis_Chatterjee
Microsoft
If the minimum firmware version is not met, quite likely it is old firmware that is not being updated by OEM/ODM and has the old Secure Boot UEFI variable defaults. In this case, if you Toggle Secure Boot ON->OFF->ON, the older 2011 defaults from Firmware will overwrite and the Secure Boot Certificates in OS will need to be re-applied. If you do not Toggle Secure Boot OFF, which is not recommended, and you updated the Certificates, all is good, and you will continue to be secure.
Can you clarify how this impacts customers on Microsoft Azure? How are gen1, gen2, and gen2 with trusted launch VMs affected and what remediation actions need to be taken (if any) for each VM type?
- Ashis_Chatterjee
Gen1 are not impacted. Gen2 with Trusted Launch impacted
any operational impact if not enabled secure boot and not updated CA/KEY 2023 like applying monthly security patches?
If I ignore this and do nothing, will devices with (or without) secure boot enabled continue to boot?
- Pearl-Angeles
Community Manager
In addition to Prabhakar's response, the panelists covered your question during the live AMA at 10:38.
Prabhakar_MSFTHello dcdeal​ Devices will continue to boot after certificate expiry. After certificates have expired, devices can no longer apply security updates to Boot manager and Secure Boot. Refer to When Secure Boot certificates expire on Windows devices - Microsoft Support for details regarding impact of expired Secure Boot certificates
What is the timeline of assisted Controlled Feature Update? Are you planning to roll out the Secure Boot Cert. Update to 100% of devices before June 2026? Or should we already prepare the alternative ways to update the devices (registry, GPO or Intune policy)?
- Pearl-Angeles
Your question was answered during the live AMA at 12:05.
Any guidance on older Lenovo ThinkStation devices? Specifically P330 Tiny and P350 Tiny. We've updated to the latest BIOS, but they all throw an Access Denied error when attempting to update the KEK. We've discovered that suspending BitLocker, manually entering BIOS, and loading factory default Secure Boot keys resolves the issue, but we don't have the resources to physically put hands on all these devices. Are there more updates in the works that will allow these ThinkStations to update the KEK without manual user intervention?
Seeing some devices running on Hyper V with the March 2026 updates applied, some Server 2019 servers show updated, but capable = 0 other server 2019 same build same patch level shows updated and capable = 2. is this expected behavior that this status is different between these two VM's?
- Pearl-Angeles
Thanks for your question! Panelists covered this topic at 14:29.
What would be the impact of blanketly applying this policy setting? Enable Secureboot Certificate Updates:
(Enabled) Initiates the deployment of new secure boot certificates and related updates.
- Pearl-Angeles
Your question was answered during the live AMA at 16:02.
