What Do I Need to Do About Windows Secure Boot UEFI Certificate Expiration?

0
69
Asked By TechGuru42 On

I've been diving into a bunch of knowledge base articles, but I'm still not entirely certain if I need to take specific actions regarding the upcoming expiration of Secure Boot certificates in June 2026. In my environment, we primarily have devices that are either domain-joined and updated through WSUS with GPO control or managed via Intune with Microsoft updates. My confusion stems from the combination of registry keys, GPOs, firmware updates, and Windows Updates. Should I be doing something specific, or will the regular monthly cumulative and security updates handle everything? I've had some success on most systems by setting **AvailableUpdates** to **0x5944** and triggering the secure-boot-update task a few times, but the guidance around this isn't very clear. I would love to hear what others are doing about it!

7 Answers

Answered By HelpfulResources On

Here’s a solid write-up outlining steps you can take: [Evil365 Secure Boot Guide](https://evil365.com/intune/SecureBoot-Cert-Expiration/). Plus, the Microsoft AMA on Secure Boot is definitely worth a listen [AMA Secure Boot](https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) and don't forget to check out the playbook for more details [Secure Boot Playbook](https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235). It's essential to do your diligence by identifying all models in your organization, ensuring compatibility, and testing with a few devices first.

Answered By CuriousUser101 On

I’m in the same boat as you! I’m really curious about the best next steps here.

Answered By PilotProject On

I recently started testing with the registry key method on a pilot group in IT, and everything has been smooth up to this point.

Answered By GPOExpert On

I’d recommend just setting up the GPO, Intune, or registry method that works best for your situation, and once you’ve restarted a couple of times, check for event ID 1808 to confirm it’s working. This process has been pretty seamless for me so far!

TroubledTech -

You’re lucky! I set the 0x5944 registry value, and I see progress in the registry, but it just stalls for days. Not sure what else to try other than patience.

Answered By RegistryKing On

I pushed out the registry key after ensuring all the BIOSes were updated, and now we're good to go!

Answered By SysAdminGeek On

You basically have three options for handling this situation: 1. Do nothing and hope your devices are classified as high confidence by Microsoft, which means they’re known good models and firmware. If so, expect an automatic Secure Boot update in a future Cumulative Update. 2. Opt into the MicrosoftManaged approach, which requires you to set a registry key and share diagnostic data to help Microsoft determine your device's readiness. 3. Go for the enforceable route by using registry edits, GPOs, Intune, or WinCS to set the AvailableUpdates or AvailableUpdatesPolicy value to 5944. The Secure-Boot-Update scheduled task will then manage the rest; it runs every 12 hours or whenever the system is rebooted. Just remember, BIOS updates may be necessary for any of these methods to ensure success.

ITDude89 -

Right? Keeping your BIOS updated on all devices is crucial for Option 1 to work.

Answered By IntuneWarrior On

Honestly, it feels like we're kind of in a ‘wait and see’ situation with all the deployment methods. I set it up via Intune, but it's not functioning correctly on Windows 11 Pro devices—ours are supposed to upgrade to Enterprise. Microsoft acknowledged the issue back in December and is still looking into it. I'm holding out for the January Windows update to see if the Intune policy starts working; otherwise, I might have to manually handle the registry and task scheduling. I did manually change registry keys on a test PC, and it confirmed that the Secure Boot certificate was configured, so that might be a solid fallback option.

ITGuy2024 -

+1 for the script from Richard Hicks, it really helped me out!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.