Yeah, it looks like it was able to update the DB with the certificates. I also would expect that the 2023 signed boot manager will update if it hasn't already. The KEK is what you don't get in this case - probably due to the age. The device will continue to run and get updates. What you won't get is the updates to the Secure Boot DBX when there are security issues in things like boot loaders and other firmware modules.

Kudos to you for keeping it running that long and to Dell for manufacturing something that lasts. I sympathize with you. I'm still using my Lenovo Yoga Pro 2 that is about the same age as your Dell. I can sense that I'm getting close to getting a new laptop. 🙂

How does Microsoft see what is needed for PXE boot with WINPE/MDT/SCCM etc?
After the 2011 certs expire is it correct to assume that the installation of Windows 11 via pxe boot etc is still working? As long as the bios fw has the 2011 (and 2023) certs available?

So nothing needs to be changed towards boot images signed binaries unless the device only has 2023 certs in fw?

Also that means that after fresh install of W11 you always need to update the 2023 certs in Windows boot manager to get the security updates?

Is this the case till we get a W11 version which is signed with the 2023 certs and requires boot images to have the 2023 signed binaries? So in this case you need to update the pxe/winpe/boot images?

How is Windows 10 LTSC, Win10 IOT LTSC, and Windows 11 IOT LTSC affected by the certificates?   Will the new 2023 certificates be install on these devices?   Win10LTSC and Win10 IOT LTSC should still be getting windows updates without the extended licensing.  Thank you.

So our devices have SecureBoot enabled, but we did not receive CA 2023. When will we receive it?

Thank you for your participation in today's Ask Microsoft Anything! Below is a recap of the questions the panelists answered live, along with associated timestamps: 

Question – What happens if you set the registry settings on a device that is still using Legacy BIOS? Is the update process smart enough to ignore those devices? – answered at 0:46.

Question – Our company does not allow us to use Intune. Are there any helpful tools or scripts to Inventory? – answered at 1:59.

• For more info, go to aka.ms/GetSecureBoot

 

Question – During the February AMA, you en-phased that enterprises should leverage Intune and build their own dashboard to monitor secure boot states. The guide requires Enterprises licenses. As an MSP that manages thousands of devices with Business Premium Plan for multiple customers with Intune and Lighthouse it doesn't make sense. Is there a plan to monitor those states via a compliance policy instead? And also.. regarding the secured boot compliance policy that will happen to devices that will still have an old certificate, will they continue to show as compliant with the 2011 certificate? – answered at 3:24.

Question – Could you confirm that the Secure-Boot-Update scheduled task expects Microsoft's Owner GUID on Microsoft's signatures in Secure Boot? We customize the Secure Boot content and it seems that a different GUID causes the task to break the behavior of GetFirmwareEnvironmentVariableA() (used by BitLocker in other things). Could you also confirm that updating the firmware SVN (4th step of the revocations) only consists in adding SVNs to the DBX? And that for testing purposes, resetting the DBX is enough to cancel the rollback prevention? – answered at 6:03.

Question – "The KEK update (needs to be signed by the OEM because they own the PK) is required before June 2026." It's very possible I'm lost in the sauce, but I remember Scott in the December AMA saying that the various (existing) key/cert updates continued to work past 2026. This ties into the timestamping question you also responded to which I need to re-read.– answered at 9:20.

Question – If I ignore this and do nothing, will devices with (or without) secure boot enabled continue to boot? – answered at 10:38.

Question – What is the timeline of assisted Controlled Feature Update? Are you planning to roll out the Secure Boot Cert. Update to 100% of devices before June 2026? Or should we already prepare the alternative ways to update the devices (registry, GPO or Intune policy)?  – answered at 12:05.

Question – Seeing some devices running on Hyper V with the March 2026 updates applied, some Server 2019 servers show updated, but capable = 0 other server 2019 same build same patch level shows updated and capable = 2. is this expected behavior that this status is different between these two VM's? – answered at 14:29

Question – What would be the impact of blanketly applying this policy setting?  Enable Secureboot Certificate Updates: – answered at 16:02.

Question – Are these updates Bitlocker aware? Do we need to suspend bitlocker for 2-3 reboots during this process?  – answered at 17:12

Question – We've successfully updated some of our devices with the 2023 cert, and tested how PXE boot in SCCM would work. PXE boot worked fine when both 2011 and 2023 certs were enabled, which makes sense, and after revoking the 2011 cert, did not work, since the boot.wim doesn't contain the 2023 cert. A couple of questions:
-Will the boot.wim naturally get the 2023 cert, if we keep SCCM/Windows SDK up-to-date?
-Once we pass June 2026, will devices that didn't successfully get the 2023 cert yet still be able to PXE boot? – answered at 18:25.

Question – How can we get a compliance report if we do not use AutoPatch? – answered at 23:35.

Question – What is the timeframe for the cert to upgrade if we leave the LCU to do the job based on a high confidence level compared to enabling the CFR settings? – answered at 23:51.

Question – How important is it that the system already boots trusting the 2023 cert instead of the 2011 cert? Is it okay for the system to continue booting using the 2011 cert as long as the 2023 KEK and DB certificates install? – answered at 26:48.

Question – I have deployed the secure boot remediation through Intune and I see event ID 1801 that says the certificates are available but not applied and the BucketConfidenceLevel shows Need more data. Do i need to take any action on that? – answered at 29:37.

Question – Looks like there have been reports online of users receiving driver updates that are requiring bitlocker keys to be entered after reboot. Is this expected behavior? If the certs were already installed via policy still get prompted from driver updates? Is there a way to know what driver updates in Intune actually have the drivers that potentially can cause bitlocker keys to be entered? Naming conventions in Intune for drivers are a bit difficult to decipher. – answered at 33:02.

Question – I noticed that some of my clients (around 5% so far) updated only two of three Secure Boot Certificates. Intune Remediation script shows the following output: Microsoft UEFI CA 2023 = False, Microsoft Corporation UEFI CA 2011 = True. Two other certificates are showing "2023" data string. Is it expected that not all the certificates are updated at the same time? – answered at 35:24.

Question – Will Microsoft release an OS upgrade that requires the EFI partition to be signed with the 2023 certificate? If so, is this expected in Windows 11 26H2, and has Microsoft announced anything about this? We want to avoid upgrading devices if it will re-sign the EFI partition before the new certificates are installed. – answered at 38:23.

Question – Can Secure Boot certificates be updated when Secure Boot is disabled? Microsoft’s AvailableUpdates process errors out unless Secure Boot is enabled. If a device won’t boot Windows with Secure Boot on, how can we bring it into compliance? – answered at 42:14.

• Follow aka.ms/GetSecureBoot for the latest updates and new tools/guides.

Question – Does Server 2025 automagically comply? Both fresh install & Server 2022 update?

 – answered at 47:15.

• For more info, go to aka.ms/SecureBootForServer

Question – Will devices that have 2023 cert already require a boot.wim that has 2023 cert once June 2026 has passed? – answered at 49:00.

Question – How long will the 2023 certs last? Will this process need to be repeated when that happens? – answered at 50:47.

Question – I manually updated the registry on a device, set it to 22852, and forced the Scheduled Task to start, waited 30 seconds and forced a reboot, and the server (server 2019 VM in hyperv with the latest march patches) and it restarted several more times on its own before it settled down and showed updated. Not sure if several reboots are going to be required every time, of if me forcing things my running the scheduled task had this effect. – answered at 52:59.

Question – In the March 2026 release notes it says this: “With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.” Could you tell us more about this? - my guess is that you need telmetry on to have this nice feature/support?  – answered at 55:27.

Question – How will Windows Update behavior change post-expiration on devices that haven't trusted the 2023 keys? Will they continue to install LCUs normally *except* for boot-critical components? Or fail to take LCUs altogether? Will this be messaged to users/admins somehow (Defender perhaps)? Will this prevent milestone updates (i.e. prevent 25H2 -> 26H2)? – answered at 57:36.

"Autopatch is coming soon" - how is stuff coming soon?? It's mid March! I would expect this to be ready for customers 6 months ago! 

If we don't get all the devices up-to-date before June, will it be possible to get them up-to-date later, or will they be stuck on old Boot Certs.

I respect that you are picking and choosing which questions to answer, but before you shut down, could you answer some of the vSphere-related questions? Inquiring minds want to know :-)

On the hyperv question, both the host and the guests were updated with the march CU's, so it resolved the errors with it being read only, but I did not expect it to reboot the computer 4 times in 30 minutes to get the job done, other client testing only one or two reboots were needed, and it was not happening automatically ever 3 or 4 minutes in a row on the device. Also still not seeing an answer for the Capable = 2 versus capable = 0 even though they show updated status otherwise.

Been very disappointed by the new Secure Boot reports in Intune. Months late to the party, and you cannot filter or search on the "Certificate Status" field. And many devices show as 'unknown'.