Event details
For devices that have been offline for an extended period, or newly imaged devices that may have been sitting on a shelf for months, what should we expect regarding the Secure Boot certificate updates?
My understanding is that the Secure Boot update process will still run once the device is updated, and that devices whose default Secure Boot databases (DB/DBX) still contain the 2011 certificates will ultimately receive the 2023 certificates through the update process. Is that correct?
Additionally, if a device already ships with the 2023 certificates present in the firmware's default Secure Boot databases, how long should it take before the Windows bootloader transitions from using the 2011 certificate chain to the 2023 certificate chain? Is there a specific trigger or state change required for that transition?
For example, I have a device where the BIOS shows the 2023 certificates are present, but the bootloader still reports that it is using the 2011 certificates. Is that an expected intermediate state, and if so, what exactly does it indicate about the device's Secure Boot configuration? Or are we overthinking the distinction between the firmware certificates and the active bootloader signing chain?
Hello Swartz99 Good Morning... You are correct. Soon the device is updated to latest Windows Patches, the certificates will be automatically updated if the device is classified as High Confidence. Else, you need to take action to test and deploy the certificates by following deployment guidance at https://aka.ms/getsecureboot
If the device already ships with the 2023 certificates, the boot loader will be automatically switched to 2023 signed version as soon as latest windows patches are deployed. Are you still observing 2011 Boot loader on the system even after all of latest windows updates deployed? To confirm the device has been updated, you can run the following powershell script from Administrator prompt.
C:\Windows\SecureBoot\Scripts\Get-SecureBootRolloutStatus.ps1
This script dumps complete status of the Secure Boot certificate and update completeness for your system
- Swartz99Jul 15, 2026Tin Contributor
Thanks for the reply Prabhakar_MSFT! My device is currently on build 26100.4652. I am going to move it to our Test Autopatch ring and try and get yesterday patch on it and see if the Boot loader updates.
I also do not have a SecureBoot folder in my C:\Windows folder. is that because of the older build i am currently on?- Swartz99Jul 15, 2026Tin Contributor
Prabhakar_MSFT, will devices shipped with 2011 certs still update in, say January of 2027?
Also will only High Confidence devices update, or will any of the other status's update on there own? Or will we have to set the AvailableUpdates reg key to 0x5944 in order to get the other status's to update?- Prabhakar_MSFTJul 15, 2026
Microsoft
Swartz99 26100.4652 is older build. If you update device to latest build, it is likely device may get updates automatically through high confidence rating. High Confidence based updates are best case effort from Microsoft for device classes that are visible to Microsoft where we have seen cert updates to succeed without any issues.
At present, the devices only auto update if classified as high confidence. The devices will continue to receive the updated ratings and any future improvements we will make. We recommend following guidance https://aka.ms/getsecureboot to update devices through AvailableUpdates Policy after validation on similar hardware to get latest certs ASAP because KEK cert and Microsoft Corporation UEFI CA 2011 certs have already expired. While the expiration does not impact normal computer operation, device cannot receive new security updates to Boot Manager and Secure Boot without the new certificates.