Event details
Join Microsoft engineers for a live Ask Microsoft Anything (AMA) focused on Secure Boot certificate updates in Windows Server environments. We’ll answer your questions about deployment planning, firm...
Heather_Poulsen
Updated Jun 30, 2026
HeyHey16K
Jun 26, 2026Steel Contributor
Hi guys 👋, if we used Intune/Microsoft's CFR to update our Secure Boot certificates on devices, and the Intune SB report status shows the certificates are green/"up to date" for each device record, does the "up to date" status include revocation of the old 2011 boot managers (DBX)? If not, when will Microsoft revoke them please? And could you share instructions to revoke them manually ourselves sooner if needed please? Thank you! 🙏
Arden_White
Microsoft
Jun 30, 2026No, the Intune report does not include revocation of the 2011 certificate in the DBX. The high-level steps for deployment are these:
- Deploy the new certificates and the 2023 signed boot manager to all devices (devices are emitting the event 1808 OR UEFICA2023Status == "Updated"
- Update any bootable media (ISOs, bootable USB thumb drives, PxE/WDS servers) to boot using the 2023 signed boot manager - see Updating Windows bootable media to use the PCA2023 signed boot manager
- Add the PCA2011 certificate to the DBX to untrust all 2011 signed boot managers. See How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
The specific PowerShell command is
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
- HeyHey16KJun 30, 2026Steel Contributor
Thank you Arden 🙏