Microsoft Answers Key Questions as Secure Boot Deadline Approaches
With the June 24, 2026, expiration of the original Microsoft Secure Boot KEK certificate looming, Microsoft conducted its second live “Ask Microsoft Anything” (AMA) session on June 4 to address the remaining concerns of IT administrators and enterprise customers. This session provided deeper insights into the Secure Boot updates, addressing enterprise rollouts, virtual machine compatibility, PXE boot scenarios, and more.
What Changes on June 24, 2026?
The most pressing question was whether June 24 marks a hard stop for the Secure Boot KEK CA 2011 certificate. According to Scott Shell, the expiration date is not a hard deadline that halts all functionality. The KEK key expiration does not immediately affect the registry-based manual rollout process or existing update payloads, which will continue to work as before.
However, after June 24, Microsoft will lose the ability to sign new DBX payloads, which are critical for revoking compromised bootloaders. Devices without the updated KEK certificate may miss future revocations, potentially becoming less secure over time. The DB certificate, however, remains valid until October, allowing Microsoft to sign additional boot managers during this interim period.
The June Update Expands High-Confidence Coverage
The June Patch Tuesday update will classify the vast majority of mainstream devices as high confidence based on Microsoft’s diagnostic data. Kevin Sullivan clarified that device classification extends beyond manufacturer and model names to include firmware version and date. This means that even identical models could be classified differently depending on their firmware.
To assist IT admins, the Intune monitoring report provides a detailed view of device status, including high-confidence classification, update application status, and devices requiring manual intervention. The report is complemented by a PowerShell remediation script for additional flexibility.
Addressing “Temporarily Paused” Devices
Some enterprise customers reported devices stuck in a “temporarily paused” status. Microsoft explained this occurs when compatibility issues at the firmware level make updates risky. In such cases, an OEM firmware update is required to resolve the issue. Once the firmware is updated, the device moves into a new classification bucket.
Admins should use live data from Intune or the GitHub CSV to track device status accurately, as paused buckets do not update retroactively. Microsoft’s Secure Boot landing page includes links to OEM support pages for locating firmware updates.
Guidance for Manual Rollouts
For devices not in the high-confidence bucket, Microsoft advised against waiting for automatic classification. Admins should initiate manual rollouts by setting registry values or using Intune policy settings. The recommended workflow involves:
- Pulling the Intune monitoring report to identify unupdated devices.
- Testing the update process on representative devices for each model or firmware variant.
- Gradually expanding the rollout after successful tests.
Microsoft emphasized that manual updates contribute telemetry data, improving the system for other organizations with similar devices.
Devices with Secure Boot Disabled
For devices with Secure Boot turned off, updates to certificates cannot be applied. If Secure Boot is later re-enabled, mismatches between firmware trust databases and boot manager signatures can lead to boot failures. Recovering from this requires manually installing the 2023 certificate into the firmware.
Azure Gen 2 VMs with secure or trusted launch enabled already have the 2023 certificate set, while Gen 1 VMs are incompatible with Secure Boot.
High-Confidence Classification Criteria
Older devices often achieve high-confidence classification faster than newer ones because their smaller populations allow for quicker statistical validation. For widely deployed newer models, the June update is expected to significantly expand the high-confidence bucket.
PXE Boot Environments Require Careful Management
For PXE boot environments, devices with the 2011 certificate will continue to boot as long as the certificate is not revoked in the DBX list. However, transitioning to bootloaders signed with the 2023 certificate requires ensuring all devices in the environment trust the new certificate. During the transition, maintaining boot media signed by both certificates is recommended.
Windows 10 and Older OS Versions
The Secure Boot update mechanism is identical across Windows 10 (under ESU), Windows 11, and older server versions. However, older devices may lack telemetry data, making manual updates necessary.
Diagnostic Tools and Resources
Event logs, particularly the TPM-WMI event log, are critical for diagnosing Secure Boot issues. Key indicators include:
- Error 1803 for invalid or unsigned Platform Keys.
- Verification of both KEK and DB certificates for the 2023 versions.
Microsoft’s central resource, aka.ms/GetSecureBoot, provides a comprehensive playbook, diagnostic scripts, and OEM firmware links. Admins are encouraged to follow Microsoft’s “test one first” advice to ensure smooth updates.
In summary, Microsoft’s phased rollout and diagnostic tools are designed to minimize disruptions while ensuring Secure Boot compliance. IT admins are encouraged to act promptly to avoid potential security risks as the KEK expiration deadline approaches.
