Microsoft recently concluded its OEM Secure Boot Office Hours event, which took place on July 15. During this session, engineers from Microsoft collaborated with representatives from various original equipment manufacturers (OEMs) including Acer, Asus, Cisco, Dell, and HP, among others. The event provided a platform for IT administrators to pose live questions regarding the Secure Boot 2023 rollout on the Tech Community forum.
Over a span of 12 hours, the discussion thread evolved into one of the most comprehensive technical records surrounding the Secure Boot updates, particularly significant as it followed the expiration of the first certificates over three weeks prior. IT admins expressed their concerns, particularly regarding issues such as BitLocker recovery loops, confidence ratings that remained stuck, and Intune policies that failed to provide useful error codes.
Note: This article is tailored for IT admins and enterprise fleet managers responsible for deploying Secure Boot certificate updates across managed devices. Regular Windows 11 users need not worry; simply navigate to Windows Security > Device security > Secure Boot to verify the status. If it indicates that Secure Boot is enabled and all certificate updates are applied, your PC is functioning correctly, with Windows Update ensuring ongoing compliance.
Key highlights
- Devices that have been offline for extended periods will still receive the 2023 certificates upon reconnecting to Windows Update.
- Devices with existing 2023 certificates in firmware will automatically switch to the new boot manager after the latest Windows patches are installed.
- A newly included script, Detect-SecureBootCertUpdateStatus.ps1, now resides within Windows, allowing for certificate status checks on individual PCs.
- A BIOS update may reset a device’s confidence rating to unrated, which is a normal occurrence and does not indicate certificate failure.
- Admins should manually edit the AvailableUpdates registry key rather than the AvailableUpdatesPolicy, which is automatically managed by Intune and Group Policy.
- A licensing bug affecting AvailableUpdatesPolicy on devices upgraded from Pro to Enterprise was resolved by Microsoft earlier in 2026.
- BitLocker recovery is not typically associated with the certificate update process and usually points to device-specific firmware or PCR issues.
- Clear guidance was provided to Dell and HP fleet managers regarding which BIOS versions include the 2023 certificates for their newer enterprise models.
- Older HP EliteBook 840 G5 units require a manual update package to obtain the new certificates, rather than a standard BIOS update.
- Both HP and Microsoft’s Surface team confirmed that eligible devices can still receive the 2023 certificates at any future point.
- Surface devices released from 2024 onward are pre-equipped with the 2023 certificates.
Microsoft and OEMs fixed multiple issues during the Secure Boot office hours AMA
The session yielded valuable insights primarily from Microsoft’s PrabhakarMSFT and JasonSandys, who addressed numerous enterprise inquiries, with OEM engineers from HP and Dell providing additional device-specific context.
Devices left on old firmware will still get the 2023 certificates
One IT admin inquired about devices that had been idle for months or new machines that had not received Windows Update. Microsoft confirmed that the Secure Boot update process operates uniformly regardless of a device’s offline duration. Any machine retaining the 2011 certificates will acquire the 2023 chain upon its first reconnection and update processing. There is no cutoff for idle devices.
For devices that already have 2023 certificates in firmware but still boot using the 2011 chain, Microsoft clarified that these devices will automatically switch to the 2023-signed version following the latest Windows patches, with no additional triggers required. If a device continues to display the 2011 boot manager after complete patching, it indicates that the update process has not yet finalized.
The SecureBoot scripts folder that comes inside Windows
Windows updates released post-May 12, 2026, now include a set of PowerShell scripts located in %systemroot%SecureBootExampleRolloutScripts. Previously, these scripts were shared as separate code blocks on support pages, but they are now integrated within the operating system.
For individual device checks, the relevant script is Detect-SecureBootCertUpdateStatus.ps1, which reads the local registry and event log, providing a comprehensive status report without altering any settings. This tool is particularly useful for users experiencing a Secure Boot Status = Unknown despite having the correct certificates and an enabled TPM.
What ConfidenceLevel means when a firmware update resets it
An admin reported a change in their device’s confidence rating after upgrading the BIOS. Prabhakar explained that confidence ratings are linked to the firmware version reported by a device rather than the hardware itself. Microsoft categorizes devices based on firmware fingerprints, and each category earns a confidence rating based on successful update telemetry. A BIOS change assigns the device to a new category, temporarily displaying an unrated status until sufficient data is gathered.
If a device’s certificates are current, the confidence label can be disregarded. For further verification, admins can utilize the Detect-SecureBootCertUpdateStatus.ps1 script.
The AvailableUpdates registry key, explained
Confusion arose regarding two similarly named registry values:
- AvailableUpdates is the key that admins should manually set at HKLMSYSTEMCurrentControlSetControlSecureBoot. Setting it to 0x5944 instructs Windows to deploy the entire 2023 chain in one go, including DB certificates, KEK, and the new boot manager.
- AvailableUpdatesPolicy is marked as “for reference only, do not update this key through the registry” in Microsoft’s documentation. It exists for Group Policy and Intune to communicate their Secure Boot settings back to Windows and is set automatically when an admin configures the policy through these tools.
When an admin sought clarification on which key to edit for a GPO-based rollout, Microsoft’s Jason_Sandys directed him to the dedicated deployment guides for both Group Policy Objects and Microsoft Intune, which automatically set the AvailableUpdatesPolicy.
BitLocker recovery isn’t tied to any one deployment method
Another admin managing a diverse fleet of devices inquired about handling the certificate rollout without triggering BitLocker recovery. Jason_Sandys confirmed that triggering BitLocker recovery is not expected behavior during the certificate update process, regardless of the deployment method used. When it does occur, it typically relates to custom PCR configurations or specific firmware issues.
Microsoft consistently advises testing representative hardware before broad rollouts and ensuring BitLocker recovery keys are backed up. One admin confirmed that his organization already stores keys in multiple locations, which mitigated potential crises during the rollout.
Dell and HP on aging firmware and Intune-managed rollouts
In a discussion about the risks associated with machines running outdated firmware, Dell’s Marcus_Molner confirmed that while updating certificates is supported, remaining on old firmware can result in missing critical security fixes and recovery capabilities. Dell recommends deploying patch bundles that synchronize certificates with Windows Update.
Further inquiries were made regarding when Dell and HP would provide BIOS versions with the 2023 certificates in their default databases. Both companies provided assurances regarding their respective models:
- HP’s Juergen_Bayer confirmed that all G8-and-newer models have the 2023 certificates in their default database once updated to the latest BIOS.
- Dell’s Marcus_Molner referred to Microsoft’s knowledge base article, which lists supported platforms and their corresponding BIOS versions.
Legacy HP hardware still has a manual path
Inquiries about older EliteBook models revealed that the G6 series has a proper BIOS update available, while the G5 and earlier models, which have reached the end of service life, do not receive new BIOS updates. Instead, HP offers a manual update package for the G5 series that directly writes the 2023 certificates into the KEK and DB databases.
A compatible PC won’t lose the ability to update to 2023 Secure Boot Certificates later
Concerns were raised about whether devices running 2011 certificates would lose the ability to receive the 2023 chain. Both HP and Microsoft’s Surface team assured that any commercial platform from 2019 onward with the latest BIOS installed will always be capable of receiving the 2023 certificates.
Microsoft’s Dan_Pandre echoed this sentiment for Surface devices, stating that any eligible model will remain so indefinitely, with Windows Update being the simplest method for updates. The only exceptions are devices that shipped with Windows 8, such as the Surface Pro 3 and Surface 3, while all Surface models released since 2024 come with the 2023 certificates pre-installed.
What IT admins should do before the October Secure Boot deadline
This office hours session addressed numerous device-specific questions that had accumulated since previous AMAs, but the urgency surrounding the October deadline remains. The Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 certificates have already expired, and the third certificate, Microsoft Windows Production PCA 2011, is set to expire on October 19, 2026. This timeline gives fleet managers approximately three months to ensure that every device is either already on the 2023 chain or has a documented plan for compliance.
Fortunately, admins now have access to a reliable script for checking individual machine statuses, clear guidance on the necessary registry key modifications, and confirmations from HP, Dell, and Microsoft that eligible hardware will retain the ability to update in the future. For those managing fleets that have yet to initiate this process, Microsoft’s guidance on the implications of missing the Secure Boot deadline serves as a valuable starting point. Additionally, comprehensive resources are available for verifying Secure Boot status and device-specific BIOS versions across various OEMs.