Event details
39 Comments
Hi Guys, and happy new year everyone 🎉,
In the Secure Boot AMA (https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) someone asked about the UEFICA2025Status Reg Key showing an unexpected status of "NotStarted". The Microsoft team advised they would investigate and advise what to do in this situation. We have this in our environment. When will we be told what to do/who can we speak to about this please?- EricMoe
Microsoft
I reached out to the Secure Boot Certificate team and they shared the following:
"Not Started" means that nothing has triggered the certificate updates. Possible triggers are:
- We determine the device is high confidence - this will be ramping up over the next several months.
- Customers have opted in to Controlled Feature Rollout and are providing telemetry
- Customers trigger it themselves through Intune, GPO, registry key change
A colleague of mine installed an application at the end of the day on Friday and then shut down his computer. When he started it up today, the app wasn't working. Sure enough, the app required a restart, and apparently Fast Startup is still a thing that is enabled by default in Windows 11.
The setting is not exposed anywhere in the modern Settings app; you have to go into the legacy Control Panel to turn it off. And apart from a couple mentions in the developer section, Microsoft's documentation doesn't acknowledge it at all. Every search result I found about how to turn it off is on a third-party web site.
If I'm not mistaken, it isn't even possible to disable Fast Startup with a standard GPO or an Intune configuration policy; you have to use a GPP or a script to set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power\HiberbootEnabled registry value to 0.
And while I concede the feature had some benefit in the days of spinning rust, the speedup on SSD-based machines is so negligable as to be unnoticable.
So, uh, what gives? 🙂
- EricMoe
RyanSteele-CoV​ - Intune has a setting to disable Hibernate with Power Policy CSP | Microsoft Learn which is in the Settings catalog. Just be aware in the policy note that it does not override any powercfg configurations or if you manually set the HibernateEnabled setting.
Thanks EricMoe​. However, wouldn’t this disable the Hibernation feature entirely? Couldn’t that result in someone losing work if their laptop runs out of battery?
I am interested to understand why Fast Startup still exists and is enabled by default.
Can you clarify what is happening and what will need to be done regarding the Secure boot certificates. For the basic users of Windows does this affect the mainstream users both business and personal? I'm not sure I understand what is affected and links to documentation make things less clear rather than provide much in the way of an answer.
- Heather_Poulsen
Community Manager
csmith-norwood​ - If you have any specific questions, we're hosting an AMA dedicated to Secure Boot on February 6 - Ask Microsoft Anything: Secure Boot - Windows Tech Community. You can tune in live and/or post your questions early in the Comments section for that event.
- EricMoe
The latest blog is here, Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog which includes the following guidance, "Please consult the Secure Boot playbook for certificates expiring in 2026 and https://aka.ms/GetSecureBoot for the most current guidance." The short answer is for personal (consumers) there's no action you need to take. For business, follow the Secure Boot Playbook for certificates expiring in 2026. It has step-by-step guidance. Ultimately the certificates are deployed via monthly Windows updates to devices that are considered "high-confidence." Details are in the article.
