Event details

Want to ensure you maintain a trusted boot environment for your Windows devices? Walk through essential guidance - including how to test firmware, monitor device readiness, deploy updated certificate...
Pearl-Angeles
Updated Mar 05, 2026
Technical Takeoff
Terry_Rutter's avatar
Terry_Rutter
Copper Contributor
Mar 09, 2026

We started our journey down this road in June 2024 when MS made the announcement that the new certs were only being regression tested with UEFI Firmware from March 2024 onward.  Older firmware may work, but if it doesn't then "Oh well".  Unless it fixed a specific problem or was required, updating BIOS/UEFI F/W wasn't a priority until this forced us to upgrade. 

Operationalizing annual UEFI updates was a result of finding that a good number of manufacturer updates will only work in "steps".  For instance if the existing version is 1.2.3 but the latest version is 1.30.2 you may have to step to 1.8, then 1.10, then 1.20, etc.  Very time consuming.

As of today every device has the new cert deployed (it was in the April 2024 CU Security patch) and installed in the .db file.  We have 80% of our environment with the 2011 cert in the .dbx file, booting solely off the 2023 cert.  The remaining 20% are in manual remediation due to BIOS versions or Secure Boot being turned off.  All new devices have been configured with only the 2023 cert.

The only real hardship is our field folks have to have 2 USB boot devices - 1 with the 2011 cert only and 1 with the 2023 cert.

In testing the process we were surprised - and not in a good way - at the initial failure rate when we forced devices to boot only from the 2023 cert prior to running BIOS version checks, if Secure Boot was enabled, and  .  Had we waited until MS forced the change it would have overrun our Help Desk with "I can't boot" calls.  

Claude_Boucher_OEM's avatar
Claude_Boucher_OEM
Copper Contributor
Mar 09, 2026

Interesting feedback! On my side I was surprised by your experience regarding BIOS versions — I've been able to successfully deploy all the new certificates and the updated boot manager on Lenovo devices with BIOS from 2019 and 2020, without any issues.

Of course, OEM BIOS updates that embed the new certificates are always a good practice — but in my experience they are not strictly required. At least on every Lenovo I've tested, there was no minimum BIOS version needed to get the Microsoft certificates installed properly.

For your 20% in manual remediation, you might want to give https://github.com/claude-boucher/CheckCA2023 a try — it's a PowerShell + XAML utility that helped me a lot to diagnose machines where the process wasn't going smoothly. It visualizes all Secure Boot certificate stores, the relevant registry keys and the Event IDs Microsoft asks us to monitor. Might help identify exactly where things are getting stuck.
Would love to hear your feedback if you get a chance to try it! 😊