← Back
Secure Boot certificate expiration: What Windows IT admins need to know now
MC1139443 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
True
Last modified
2025-08-21 22:47:28
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-06-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates.

Similar updates

More like this
MC1104112 (Updated) Act now: Secure Boot certificates expire in June 2026
(Updated) Act now: Secure Boot certificates expire in June 2026 Microsoft will roll out updated Secure Boot certificates for Windows systems; current certificates start expiring June 2026, requiring firmware and policy updates to maintain security. Visit the  Secure Boot certificate rollout landing page  for guidance for personal devices and.
MC1185931 Secure Boot playbook for certificates expiring in 2026
Secure Boot playbook for certificates expiring in 2026 Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection. Additional information: Bookmark https://aka.ms/GetSecureBoot for more information about this change, detailed guidance for.
MC1173103 Secure Boot certificate deployment guide and tools
Secure Boot certificate deployment guide and tools Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025. Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates. .
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. ...vailable in the Intune settings catalog:  Configure Microsoft Update Managed Opt-In  Configure High-Confidence.
MC1192217 Secure Boot AMA: Ask Microsoft Anything on December 10
Join us December 10, 2025, at 8:00 AM PST for a live Ask Microsoft Anything (AMA) session focused on updating Secure Boot certificates on your Windows devices before they expire in June 2026. This event gives IT admins the chance to ask questions and get expert guidance on Secure Boot configuration, update scenarios, inventorying and preparing.
MC1160163 Frequently asked questions about the Secure Boot update process
Frequently asked questions about the Secure Boot update process Review FAQs and recommendations to prepare for Windows Secure Boot certificate expiration before June 2026. Do you have questions about Windows Secure Boot certificate ex... It’s best to update Secure Boot certificates well before the June 2026 expiration date. Catch up on.

Details

Body (from Message Center)

Secure Boot protects Windows systems by validating firmware and boot components using trusted certificates. Microsoft-issued certificates used in Secure Boot are expiring in 2026. In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. IT-managed environments must take action to ensure their systems remain secure and serviceable. This post outlines what enterprise IT admins need to know and do. 
 
When will this happen: 
  • Microsoft UEFI CA 2011 and Microsoft KEK CA 2011 expire in June 2026. 
  • Microsoft Windows Production PCA 2011 expires in October 2026. 
  • Microsoft is rolling out updated certificates now via Windows Update to home users, businesses, and schools with devices that have updates managed by Microsoft. 
 
How this will affect your organization: 
Without updated certificates, Secure Boot-enabled systems may: 
  • Fail to receive future security updates. 
  • Be unable to validate new boot components. 
  • Face increased risk from boot-level vulnerabilities. 
 
What you need to do to prepare: 
  • Check with your OEM for the latest available firmware updates. These updates ensure your device’s Secure Boot configuration can accept new certificates. 
  • Review the KB articles and blog post listed below. 
  • Get familiar with the update paths available:  
  1. Opt in to Microsoft-managed updates by enabling diagnostic data and setting the registry key MicrosoftUpdateManagedOptIn. 
  2. Follow manual update steps for DB and KEK using published Microsoft guidance. 
  3. Plan for future partially automated solutions that Microsoft will release to support self-service deployments. 
 
Additional information: 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-06-01T00:00:00Z",
    "ai_actions": [
      "Check OEM for latest firmware updates",
      "Review Microsoft guidance and KB articles",
      "Enable Microsoft-managed updates or follow manual update steps",
      "Plan for future automated update solutions"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates.",
    "ai_topics": [
      "Windows"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1139443",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-08-21T22:47:28Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Secure Boot certificate expiration: What Windows IT admins need to know now"
  }
}