Category
stayInformed
Severity
normal
Major change
True
Last modified
2025-07-08 23:35:43
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-06-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Microsoft will roll out updated Secure Boot certificates for Windows systems; current certificates start expiring June 2026, requiring firmware and policy updates to maintain security.
Similar updates
More like thisMC1185931 Secure Boot playbook for certificates expiring in 2026
Secure Boot playbook for certificates expiring in 2026 Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection. When will this happen: While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with.
MC1139443 Secure Boot certificate expiration: What Windows IT admins need to know now
Secure Boot certificate expiration: What Windows IT admins need to know now Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates. Additional information: Read Act now: Secure Boot certificates expire in June 2026. Plan for.
MC1173103 Secure Boot certificate deployment guide and tools
Secure Boot certificate deployment guide and tools Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025. Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates..
MC1192217 Secure Boot AMA: Ask Microsoft Anything on December 10
Join us December 10, 2025, at 8:00 AM PST for a live Ask Microsoft Anything (AMA) session focused on updating Secure Boot certificates on your Windows devices before they expire in June 2026. Join a live AMA on December 10, 2025, for guidance on updating Secure Boot certificates on Windows devices before their June 2026 expiration; get expert.
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. When will this happen: The following settings are now available in the Intune settings catalog: Configure Microsoft.
MC1160163 Frequently asked questions about the Secure Boot update process
Frequently asked questions about the Secure Boot update process Review FAQs and recommendations to prepare for Windows Secure Boot certificate expiration before June 2026. Do you have questions about Windows S... It’s best to update Secure Boot certificates well before the June 2026 expiration date. Check out an initial set of frequently asked.
Details
Body (from Message Center)
Updated July 8, 2025: survey link changed
In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. Current certificates will start expiring in June 2026 on all Windows systems released since 2012, except for 2025 Copilot+ PCs. This also affects third-party operating systems. Start by checking on the latest available firmware from original equipment manufacturers (OEMs) and enabling Windows diagnostic data. Visit the Secure Boot certificate rollout landing page for guidance for personal devices and IT-managed systems.
When will this happen:
- In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023
- June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)
- October 2026, the following certificate will expire: Microsoft Windows Production PCA 2011
How this will affect your organization:
Most supported Windows systems released since 2012, including the long-term servicing channel (LTSC), are affected. Not affected are Copilot+ PCs released in 2025. Affected third-party OS includes MacOS. However, it’s outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Unless prepared, affected physical and virtual machine (VM) devices will:
- Lose ability to install Secure Boot security updates after June 2026.
- Not trust third-party software signed with new certificates after June 2026.
- Not receive security fixes for Windows boot manager by October 2026.
What you need to do to prepare:
First, check on the latest available firmware from original equipment manufacturers (OEMs). Then, allow Microsoft to manage Windows updates, including Secure Boot updates:
- Configure your organizational policies to allow at least the “required” level of diagnostic data.
- Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
- Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
- Key name: MicrosoftUpdateManagedOptIn
- Type: DWORD
- DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
If you prefer not to enable diagnostic data, please take this anonymous readiness survey.
Additional information:
- Read Act now. Secure Boot certificates expire in June 2026.
- Bookmark Secure Boot certificate rollout landing page.
- Consult guidance for Windows devices for businesses and organizations with IT-managed updates.
- For unmanaged scenarios, see Windows devices for home users, businesses, and schools with Microsoft-managed updates.
- Follow guidance in Windows 11 and Secure Boot to check if it’s enabled.
- Get additional technical guidance at Updating Microsoft Secure Boot keys.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-06-01T00:00:00Z",
"ai_actions": [
"Check for latest OEM firmware",
"Enable Windows diagnostic data",
"Set registry key for Secure Boot updates",
"Review Secure Boot certificate guidance"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Microsoft will roll out updated Secure Boot certificates for Windows systems; current certificates start expiring June 2026, requiring firmware and policy updates to maintain security.",
"ai_topics": [
"Windows",
"Copilot"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1104112",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-07-08T23:35:43Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "(Updated) Act now: Secure Boot certificates expire in June 2026"
}
}