Event details

Want to ensure you maintain a trusted boot environment for your Windows devices? Walk through essential guidance - including how to test firmware, monitor device readiness, deploy updated certificate...
Pearl-Angeles
Updated Mar 05, 2026
Technical Takeoff
Claude_Boucher_OEM's avatar
Claude_Boucher_OEM
Copper Contributor
Mar 09, 2026

Now that the new certificates are landing in DB, the KEK is updating, and the boot manager is being re-signed — the "deployment phase" seems well underway for most of us.

My question is about the timing of the next steps : do the optional ones (old certificate revocation in DBX, SVN update, SBAT, new DBX, ...) have an announced schedule yet? Or are we still waiting for a signal from Microsoft?

On my side, I've been building a PowerShell + XAML utility — initially developed for Lenovo devices, but designed to work on other hardware as well — that lets you visualize all Secure Boot certificate stores, the registry keys and Event IDs that Microsoft asks us to monitor, all without Intune or MDM.

Can't wait to integrate these next steps as soon as they're clarified! 😊

Prabhakar_MSFT's avatar
Prabhakar_MSFT
Icon for Microsoft rankMicrosoft
Mar 09, 2026

Thank you for your question.  Due to the impact to recovery boot media and other external boot sources such as Network boot, the revocation of old 2011 certificate and SVN is not automatically applied to UEFI firmware. Enterprises need to ensure all boot sources have been updated to latest 2023 signed Boot manager before applying the revocations to UEFI DBX.