Event details

Join Microsoft engineers for a live Ask Microsoft Anything (AMA) focused on Secure Boot certificate updates in Windows Server environments. We’ll answer your questions about deployment planning, firmware prerequisites, monitoring and troubleshooting, known issues, virtualization scenarios, and how to maintain protection against future boot-level threats. Whether you're managing a handful of servers or a large datacenter, bring your questions and get practical guidance directly from the experts helping customers navigate this important platform security update.

How do I participate?

Registration is not required. Simply select Add to calendar then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast

Get started with these helpful resources

Heather_Poulsen
Updated Jun 30, 2026

18 Comments

  • kprz's avatar
    kprz
    Occasional Reader

    I know this AMA is focused on Windows Server, but I am hoping the team can clarify the Windows Security status behavior for Secure Boot certificate updates.

    On a supported Windows 11 device, Windows Security shows that Secure Boot is on, but the automated Secure Boot certificate update cannot complete because of hardware or firmware limitations, and it says to contact the manufacturer.

    The OEM support article lists the model as supported for the new Secure Boot certificates, but the OEM download page does not yet show an obvious newer firmware package for the device. Windows Update has installed an optional firmware-related update, but the Windows Security warning remains after multiple restarts.

    My questions are:

    1. Can this Windows Security warning appear temporarily while a supported device is still waiting for the correct Windows Update / OEM firmware rollout, or does it always mean the device is truly blocked?
    2. For consumer Windows 11 devices, what is the safest way to distinguish “eligible but still waiting” from “manufacturer action required”?
    3. Should users avoid manual BIOS changes and wait for Windows Update / Optional Updates unless the OEM provides specific guidance?
    4. Is there a recommended Windows Security status message or event log location that confirms whether the Secure Boot certificate update is pending, failed, blocked, or fully applied?

    I am trying to follow the Microsoft-recommended update path without making unnecessary firmware changes.

  • HeyHey16K's avatar
    HeyHey16K
    Steel Contributor

    Hi guys 👋, if we used Intune/Microsoft's CFR to update our Secure Boot certificates on devices, and the Intune SB report status shows the certificates are green/"up to date" for each device record, does the "up to date" status include revocation of the old 2011 boot managers (DBX)? If not, when will Microsoft revoke them please? And could you share instructions to revoke them manually ourselves sooner if needed please? Thank you! 🙏