Course Description

Secure Boot is changing in 2026. Microsoft is updating the Secure Boot certificates and revocation lists used to validate boot components, which may affect how devices boot, deploy, and recover. If you manage Windows endpoints, servers, or imaging infrastructure, you need to understand what these changes mean in practice. 

In this focused and practical mini course, we break down what is changing and why it matters. We’ll walk through deployment impact, firmware considerations, registry signals, event logs, and detection strategies across ConfigMgr, Intune, and standalone systems.

You’ll leave with a clear remediation plan, validation techniques, and a structured testing approach before changes hit production. No hype. No fear. Just engineering.

This LIVE Online Training, presented by Johan Arwidmark and Andrew Johnson, provides a comprehensive and actionable guide to navigating the Secure Boot certificate transition in 2026.

This LIVE Online Training is for YOU if you want to:

  • Understand what is changing in Secure Boot in 2026
  • Identify what can break in deployments and recovery scenarios
  • Learn how DB and DBX updates impact imaging and boot media
  • Build detection and monitoring strategies for certificate rollout
  • Ask Johan and Andrew questions directly in a live training environment


If you can't attend the live event, the webinar will be recorded and available within 24 hours of the broadcast. 

Course Schedule

Date and Time for Live Webinars

Upcoming Live 90-Minute Webinar:

  • Date & Start Time: Thursday, April 2, 9:00–10:30 AM Central Time (US and Canada)


Course Outline

Module 1: Secure Boot 2026 Fundamentals and What Is Changing

  • How the Secure Boot trust chain actually works (PK, KEK, DB, DBX)
  • Microsoft certificate history and why 2026 matters
  • Windows UEFI CA 2023 certificate transition
  • Revocations and DBX updates
  • What these changes mean for Windows clients and servers 


Module 2: What Breaks in the Real World

  • Imaging failures with outdated boot media
  • PXE, Task Sequence, and recovery environment impact
  • Firmware inconsistencies across OEMs
  • Offline and long-lifecycle devices
  • How outdated boot loaders and media cause unexpected failures


Module 3: Detection, Remediation, and Deployment Strategy

  • Registry keys, capability indicators, and event IDs
  • PowerShell validation techniques
  • Identifying at-risk devices
  • Updating ADK and boot media correctly
  • Phased rollout and lab testing model
  • Remediation and recovery strategy

Instructors

Johan Arwidmark

Johan Arwidmark is a consultant, author, speaker, and all-around geek specializing in Enterprise Windows Deployment Solutions and Systems Management. Johan speaks at several conferences each year, including MMS and Ignite around the world. He is also actively involved in the deploymentresearch.com community, and he has been awarded Microsoft Most Valuable Professional (MVP) since 2005. Johan is known for his energetic and humorous style, tackling complex concepts using simple "Real World" scenarios and lots of live demos. His areas of expertise include Enterprise Windows Deployment Tools and Management Systems: Intune, MDT, WinPE, WDS, and ConfigMgr (SCCM).

Johan Arwidmark

Technical Fellow

Andrew Johnson

Andrew has served in various technical and leadership roles in IT for over 15 years, spending most of his time in higher education. He's always looking for new ways to perform tasks more efficiently and share knowledge with others. His three favorite technology areas are Endpoint Management, Automation, and Monitoring. When he's not working with tech - professionally or in his home lab - you'll likely find him building the latest Star Wars LEGO set with his family. If you'd like to chat ConfigMgr, Intune, Azure AD, Office 365, Disney World or Star Wars, you can always find him on Twitter, @AndrewJNet.

Andrew Johnson

Solutions Architect, ADM Solutions