Event details
Join Microsoft engineers for a live Ask Microsoft Anything (AMA) focused on Secure Boot certificate updates in Windows Server environments. We’ll answer your questions about deployment planning, firmware prerequisites, monitoring and troubleshooting, known issues, virtualization scenarios, and how to maintain protection against future boot-level threats. Whether you're managing a handful of servers or a large datacenter, bring your questions and get practical guidance directly from the experts helping customers navigate this important platform security update.
How do I participate?
Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast
Get started with these helpful resources
18 Comments
- kprzOccasional Reader
I know this AMA is focused on Windows Server, but I am hoping the team can clarify the Windows Security status behavior for Secure Boot certificate updates.
On a supported Windows 11 device, Windows Security shows that Secure Boot is on, but the automated Secure Boot certificate update cannot complete because of hardware or firmware limitations, and it says to contact the manufacturer.
The OEM support article lists the model as supported for the new Secure Boot certificates, but the OEM download page does not yet show an obvious newer firmware package for the device. Windows Update has installed an optional firmware-related update, but the Windows Security warning remains after multiple restarts.
My questions are:
- Can this Windows Security warning appear temporarily while a supported device is still waiting for the correct Windows Update / OEM firmware rollout, or does it always mean the device is truly blocked?
- For consumer Windows 11 devices, what is the safest way to distinguish “eligible but still waiting” from “manufacturer action required”?
- Should users avoid manual BIOS changes and wait for Windows Update / Optional Updates unless the OEM provides specific guidance?
- Is there a recommended Windows Security status message or event log location that confirms whether the Secure Boot certificate update is pending, failed, blocked, or fully applied?
I am trying to follow the Microsoft-recommended update path without making unnecessary firmware changes.
- HeyHey16KSteel Contributor
Hi guys 👋, if we used Intune/Microsoft's CFR to update our Secure Boot certificates on devices, and the Intune SB report status shows the certificates are green/"up to date" for each device record, does the "up to date" status include revocation of the old 2011 boot managers (DBX)? If not, when will Microsoft revoke them please? And could you share instructions to revoke them manually ourselves sooner if needed please? Thank you! 🙏
- Arden_White
Microsoft
No, the Intune report does not include revocation of the 2011 certificate in the DBX. The high-level steps for deployment are these:
- Deploy the new certificates and the 2023 signed boot manager to all devices (devices are emitting the event 1808 OR UEFICA2023Status == "Updated"
- Update any bootable media (ISOs, bootable USB thumb drives, PxE/WDS servers) to boot using the 2023 signed boot manager - see Updating Windows bootable media to use the PCA2023 signed boot manager
- Add the PCA2011 certificate to the DBX to untrust all 2011 signed boot managers. See How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
The specific PowerShell command is
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
- HeyHey16KSteel Contributor
Thank you Arden 🙏