← Back
Secure Boot certificate deployment guide and tools
MC1173103 · build prod-20251231-200323
Category
preventOrFixIssue
Severity
normal
Major change
False
Last modified
2025-10-15 17:10:43
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025.

Similar updates

More like this
MC1104112 (Updated) Act now: Secure Boot certificates expire in June 2026
When will this happen:   In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023  June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI.
MC1185931 Secure Boot playbook for certificates expiring in 2026
Secure Boot playbook for certificates expiring in 2026 Secure Boot certificates on many Windows devices ... An initial set of tools and guidance is now available to support you in this effort. When will this happen: While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with original equipment.
MC1139443 Secure Boot certificate expiration: What Windows IT admins need to know now
Secure Boot certificate expiration: What Windows IT admins need to know now Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates. This post outlines what enterpris... Microsoft Windows Production PCA 2011 expires in October 2026..
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. When will this happen:   The following settings are now available in the Intune settings catalog:  Configure Microsoft.
MC1192217 Secure Boot AMA: Ask Microsoft Anything on December 10
Secure Boot AMA: Ask Microsoft Anything on December 10 Join a live AMA on December 10, 2025, for guidance on updating Secure Boot certificates on Windows devices before their June 2026 expiration; get expert advice and post questions in advance. Join us December 10, 2025, at 8:00 AM PST for a live Ask Microsoft Anything (AMA) session focused on.
MC1160163 Frequently asked questions about the Secure Boot update process
Frequently asked questions about the Secure Boot update process Review FAQs and recommendations to prepare for Windows Secure Boot certificate expiration before June 2026. It’s best to update Secure Boot certificates well before the June 2026 expiration date. Catch up on recommendations for Windows devices... Review FAQs and recommendations to.

Details

Body (from Message Center)

Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates. As the 2011 certificate authorities (CAs) start expiring in June 2026, 2023 CAs are required. Updated CAs allow Secure Boot to continue preventing malware early in the startup sequence. New resources are available for you to start monitoring, deploying, and troubleshooting Secure Boot CAs. These include the deployment playbook, new registry keys, Windows Event Log, and Windows Configuration System (WinCS) APIs. 
 
When will this happen: 
  • The deployment guide, new registry keys, and WinCS are available today. 
  • The 2023 Secure Boot CAs are rolling out gradually as part of Windows monthly updates starting with the October 2025 security update. 
  • Additional tools will be available soon. 
  • The 2011 CAs start expiring beginning in June 2026. 
 
How this will affect your organization: 
Devices manufactured before 2012 and those that don’t already have new certificates need to be updated with the 2023 CAs. We recommend taking measures well before the 2011 CAs start expiring. 
 
What you need to do to prepare: 
If your organization sends diagnostic data and lets Microsoft manage your updates, your devices will automatically get updated CAs with the monthly Windows updates. You can also opt in to let Microsoft determine high-confidence devices that will get these CAs first.  
 
If you prefer to deploy these CAs yourself, follow the deployment playbook to monitor, deploy, and troubleshoot Secure Boot updates. You can use new registry keys, Windows Event Log, and WinCS to do so. 
 
Additional information: 

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review deployment playbook and new tools",
      "Monitor and update Secure Boot CAs to 2023 versions",
      "Opt in for Microsoft-managed updates if desired",
      "Manually deploy CAs if not using Microsoft updates"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025.",
    "ai_topics": [
      "Windows"
    ],
    "category": "preventOrFixIssue",
    "details_map": {},
    "id": "MC1173103",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-10-15T17:10:43Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Secure Boot certificate deployment guide and tools"
  }
}