Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playbook, but need more details or have a specific question, join us to get the answers you need to prepare for this milestone. No question is too big or too small. Update scenarios, inventorying your estate, formulating the right deployment plan for your organization -- we're here to help!

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast

Get started with these helpful resources

Pearl-Angeles
Updated Mar 11, 2026
AMA

274 Comments

Show More
  • InterstellarOverdrive's avatar
    InterstellarOverdrive
    Copper Contributor
    Mar 12, 2026

    I noticed that some of my clients (around 5% so far) updated only two of three Secure Boot Certificates. 
    Intune Remediation script shows the following output: Microsoft UEFI CA 2023 = False, Microsoft Corporation UEFI CA 2011 = True.

    Two other certificates are showing "2023" data string.

    Is it expected that not all the certificates are updated at the same time?

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager
      Mar 12, 2026

      For reference, this question was answered at 35:24 during the live AMA. 

    • InterstellarOverdrive's avatar
      InterstellarOverdrive
      Copper Contributor
      Mar 12, 2026

      Thanks for the answer. The script returns the following output for the other two certificates:

      Windows UEFI CA 2023 = True

      Microsoft Corporation KEK 2K CA 2023 = True

  • DRWalden's avatar
    DRWalden
    Occasional Reader
    Mar 12, 2026

    Is there any update on KBKB5077181 being updated to address the boot loop issue?

  • SebastianKIT's avatar
    SebastianKIT
    Occasional Reader
    Mar 12, 2026

    My current status regarding dbx is that the old certificates must be moved there so that the SecureBoot certificate update can be completed successfully (managed IT environment with Windows 11 Enterprise licenses). Will there also be instructions or a PowerShell script that performs or explains this process?

    Thank you for your time.

    • Jason_Sandys's avatar
      Jason_Sandys
      Icon for Microsoft rankMicrosoft
      Mar 12, 2026

      Hi SebastianKIT​,

      DBX is for explicit revocations in case of compromise or similar. That is not the case here and is part of this process. Adding the old certs to DBX would cause all current boot critical components to become untrusted making the system unbootable. We would need to update every boot critical component to re-sign it on all in market OS versions which would be an even greater logistic nightmare and would add not true value. Ultimately, both certs of certs will remain trusted and there isn't an explicit reason to ever change this (unless a cert is compromised as noted).

  • Bryant_Kintner's avatar
    Bryant_Kintner
    Copper Contributor
    Mar 12, 2026

    Will Microsoft release an OS upgrade that requires the EFI partition to be signed with the 2023 certificate? If so, is this expected in Windows 11 26H2, and has Microsoft announced anything about this? We want to avoid upgrading devices if it will re-sign the EFI partition before the new certificates are installed.

  • BrianSmith42's avatar
    BrianSmith42
    Copper Contributor
    Mar 12, 2026

    We've successfully updated some of our devices with the 2023 cert, and tested how PXE boot in SCCM would work. PXE boot worked fine when both 2011 and 2023 certs were enabled, which makes sense, and after revoking the 2011 cert, did not work, since the boot.wim doesn't contain the 2023 cert. A couple of questions:

    Will the boot.wim naturally get the 2023 cert, if we keep SCCM/Windows SDK up-to-date?

    Once we pass June 2026, will devices that didn't successfully get the 2023 cert yet still be able to PXE boot?

    Will the 2011/2023 cert be able to live side-by-side in the boot.wim?

  • Bryant_Kintner's avatar
    Bryant_Kintner
    Copper Contributor
    Mar 12, 2026

    How important is it that the system already boots trusting the 2023 cert instead of the 2011 cert? Is it okay for the system to continue booting using the 2011 cert as long as the 2023 KEK and DB certificates install?

    • Pearl-Angeles's avatar
      Pearl-Angeles
      Icon for Community Manager rankCommunity Manager
      Mar 12, 2026

      In addition to Ashis's response below, your question was also answered during the live AMA at 23:35.

    • Ashis_Chatterjee's avatar
      Ashis_Chatterjee
      Icon for Microsoft rankMicrosoft
      Mar 12, 2026

      Autopatch is one of the ways, and it is not a requirement. You can inventory the devices in your environment using the sample powershell in:

      aka.ms/getsecureboot->IT Managed section (on left Nav)

      Sample Secure Boot Inventory Data Collection script

      Copy and paste this sample script and modify as needed for your environment: The Sample Secure Boot Inventory Data Collection script.

  • Giggsie's avatar
    Giggsie
    Occasional Reader
    Mar 12, 2026

    For Devices Managed in SCCM. Will these be addressed through the Cumulative updates? Or is there other intervention we should be working towards?

     

  • KENNEDY3K's avatar
    KENNEDY3K
    Occasional Reader
    Mar 12, 2026

    if  not updated, will not get security update means, is it related secure boot related update or OS related security related patch/update?

    • mihi's avatar
      mihi
      Brass Contributor
      Mar 13, 2026

      All updates that change the boot manager will no longer get applies. Usually these are secure boot related security updates, but maybe also bugfixes for exotic boot scenarios.

      Normal kernel-level and user-level security vulnerabilities will be continued to be fixed.