I update the servers to the point where I see the following Reg entries..

• Both Active and Default DBs show both 2023 and 2011.
• AvailableUpdates show 0x00004000
• WindowsUEFICA2023Capable registry key was set to 2
• UEFICA2023Status registry key shows “Updated”
• For Server OS I see the following:
• Server 2019/2022 I see Event ID 1808 in system log
• Server 2025 I see event 1799 in system log

Both events say that the UEFI CA 2023 was installed successfully….so does that mean the system is up to date?  

However, if we run the command below, I get the return code “00” …is that a problem???

• $pk = Get-SecureBootUEFI -Name PK
• $bytes = $pk.Bytes
• $cert = $bytes[44..($bytes.Length-1)]
• [IO.File]::WriteAllBytes("PK.der", $cert)
• certutil -dump PK.der

Follow up on earlier SCCM boot.wim questions:

Can we continue using the boot.wim with 2011 cert past June 2026?

Will that work successfully with devices that only have 2011 cert?

Will devices that have 2023 cert already require a boot.wim that has 2023 cert once June 2026 has passed?

(We have thousands of devices in storage, and need to know sooner, rather than later, if they need to get updated pre-June 2026)

I manually updated the registry on a device, set it to 22852, and forced the Scheduled Task to start, waited 30 seconds and forced a reboot, and the server (server 2019 VM in hyperv with the latest march patches) and it restarted several more times on its own before it settled down and showed updated. Not sure if several reboots are going to be required every time, of if me forcing things my running the scheduled task had this effect.

Oke so we’re pretty much trying to get it in control. So I am wondering the PK (platform key) isn’t present in our hypervisor version at this moment. What does this mean for the whole chain?

cause we have a well guided plan aligned with Microsoft their approval. But after running the workflow 0x5944 , en you go to 0x4100 and after a while you get the 0x4000. This means the flow is done. After this you have the remaining 0x280 (revocation of PCA2011 , and applying SVN). After this you are done. 

reading the march update there is this line: 

KB5079473

Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

could you tell us more about this? - my guess is that you need telmetry on to have this nice feature/support? 

Does Server 2025 automagically comply?

Both fresh install & Server 2022 update?

VMware has not yet released an updated virtual hardware/BIOS package for this issue (only manual steps). Do we need to worry about the virtual hardware/Bios update offered by VMware if we’re already seeing the “Updated”/ WindowsUEFICA2023Capable =2 results we’re getting now within the registry? We also get the result of “True” using the verification command - ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes)) -match "Windows UEFI CA 2023".  From a compliance perspective, does this mean we’re covered? For that matter, do we even need to rename the NVRAM File?

We’ve also noticed that on some of our Server 2025 systems, even when the certificates seemingly updates itself successfully, the Secure Boot scheduled task fails with a “file not found” error. Is there a way to correct this? We are not sure how to address this. It appears to be a built‑in, “solid‑state” task.

Hello, I have deployed the secure boot remediation through Intune and I see event ID 1801 that says the certificates are available but not applied and the BucketConfidenceLevel shows Need more data. Do i need to take any action on that ?

Can Secure Boot certificates be updated when Secure Boot is disabled? Microsoft’s AvailableUpdates process errors out unless Secure Boot is enabled. If a device won’t boot Windows with Secure Boot on, how can we bring it into compliance?

Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates?

Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher.

What happens in June when the current Secure Boot certificates expire? Will devices with Secure Boot still boot if their EFI partition is signed with the 2011 certificate? If so, how long past June will they continue to boot, and will they eventually stop?