Category
stayInformed
Severity
normal
Major change
True
Last modified
2025-11-18 19:41:56
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
2026-06-01 00:00:00
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection.
Similar updates
More like thisMC1104112 (Updated) Act now: Secure Boot certificates expire in June 2026
(Updated) Act now: Secure Boot certificates expire in June 2026 Microsoft will roll out updated Secure Boot certificates for Windows systems; current certificates start expiring June 2026, requiring firmware and policy updates to maintain security. Updated July 8, 2025: survey link changed In the coming months, Microsoft will be rolling out.
MC1139443 Secure Boot certificate expiration: What Windows IT admins need to know now
Secure Boot certificate expiration: What Windows IT admins need to know now Microsoft is updating Secure Boot certificates before current ones expire in 2026; IT admins must ensure systems accept new certificates to maintain security and updates. What you need to do to prepare: Check with your OEM for the latest available firmware updates..
MC1173103 Secure Boot certificate deployment guide and tools
Secure Boot certificate deployment guide and tools Update expiring Secure Boot certificates to 2023 CAs using new guides and tools; 2011 CAs start expiring June 2026, with 2023 CAs rolling out via Windows updates from October 2025. Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates. As.
MC1192217 Secure Boot AMA: Ask Microsoft Anything on December 10
Join us December 10, 2025, at 8:00 AM PST for a live Ask Microsoft Anything (AMA) session focused on updating Secure Boot certificates on your Windows devices before they expire in June 2026. This event gives IT admins the chance to ask questions and get expert guidance on Secure Boot configuration, update scenarios, inventorying and preparing.
MC1193371 How to use Microsoft Intune to update expiring Secure Boot certificates
How to use Microsoft Intune to update expiring Secure Boot certificates Intune now supports deploying and managing Secure Boot certificate updates for Windows clients, offering an alternative to registry and Group Policy methods. See how these methods work together in Secure Boot playbook for certificates expiring in 2026. Intune now supports.
MC1160163 Frequently asked questions about the Secure Boot update process
Frequently asked questions about the Secure Boot update process Review FAQs and recommendations to prepare for Windows Secure Boot certificate expiration before June 2026. It’s best to update Secure Boot certificates well before the June 2026 expiration date. How this will affect your organization: This set of questions is available to help.
Details
Body (from Message Center)
Secure Boot helps ensure that only trusted software runs during the boot sequence. It uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. After 15 years, the Secure Boot certificates that are part of many Windows systems will start expiring in June 2026. These certificates were originally issued in 2011. Many Windows PCs manufactured since 2024 already have updated (2023) certificates. For the remaining devices, we recommend that you start monitoring the progress of certificate updates today as well as prepare for and install new certificates on devices that aren’t automatically getting them through Windows updates. An initial set of tools and guidance is now available to support you in this effort.
When will this happen:
While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with original equipment manufacturers (OEMs) offering firmware updates to help ensure compatibility—you can proactively install the 2023 CAs before the 2011 CAs start expiring in June of 2026.
What you need to do to prepare:
Read the Secure Boot playbook for certificates expiring in 2026 for steps you can take today to help ensure your devices stay protected after June 2026. Specifically, you can now:
- Inventory and prepare your environments for this change.
- Monitor and check your devices for Secure Boot status.
- Apply OEM firmware updates before Microsoft updates.
- Plan and pilot your Secure Boot certificate deployments.
- Use available tools to troubleshoot and remediate common issues.
If you’d like to deploy the new Secure Boot certificates yourself today, you can utilize registry keys, WinCS, or Group Policy. Soon, you’ll be able to use scalable MDM solutions, such as Microsoft Intune. We will provide an update when this method is available.
Additional information:
Bookmark https://aka.ms/GetSecureBoot for more information about this change, detailed guidance for managing Secure Boot certificate update, and answers to frequently asked questions.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": "2026-06-01T00:00:00Z",
"ai_actions": [
"Inventory and prepare environments",
"Monitor Secure Boot status",
"Apply OEM firmware updates",
"Plan and pilot certificate deployments",
"Use available tools for troubleshooting"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Secure Boot certificates on many Windows devices will expire in June 2026; admins should monitor, prepare, and update certificates to ensure continued protection.",
"ai_topics": [
"Windows"
],
"category": "stayInformed",
"details_map": {},
"id": "MC1185931",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-11-18T19:41:56Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": "Secure Boot playbook for certificates expiring in 2026"
}
}