Event details
Join Microsoft engineers for a live Ask Microsoft Anything (AMA) focused on Secure Boot certificate updates in Windows Server environments. We’ll answer your questions about deployment planning, firm...
Heather_Poulsen
Updated Jun 30, 2026
Arden_White
Microsoft
Jun 30, 2026No, the Intune report does not include revocation of the 2011 certificate in the DBX. The high-level steps for deployment are these:
- Deploy the new certificates and the 2023 signed boot manager to all devices (devices are emitting the event 1808 OR UEFICA2023Status == "Updated"
- Update any bootable media (ISOs, bootable USB thumb drives, PxE/WDS servers) to boot using the 2023 signed boot manager - see Updating Windows bootable media to use the PCA2023 signed boot manager
- Add the PCA2011 certificate to the DBX to untrust all 2011 signed boot managers. See How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
The specific PowerShell command is
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
HeyHey16K
Jun 30, 2026Steel Contributor
Thank you Arden 🙏