Secure Boot protects Windows systems by validating firmware and boot components using trusted certificates. Microsoft-issued certificates used in Secure Boot are expiring in 2026. In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. IT-managed environments must take action to ensure their systems remain secure and serviceable. This post outlines what enterprise IT admins need to know and do.
When will this happen:
- Microsoft UEFI CA 2011 and Microsoft KEK CA 2011 expire in June 2026.
- Microsoft Windows Production PCA 2011 expires in October 2026.
- Microsoft is rolling out updated certificates now via Windows Update to home users, businesses, and schools with devices that have updates managed by Microsoft.
How this will affect your organization:
Without updated certificates, Secure Boot-enabled systems may:
- Fail to receive future security updates.
- Be unable to validate new boot components.
- Face increased risk from boot-level vulnerabilities.
What you need to do to prepare:
- Check with your OEM for the latest available firmware updates. These updates ensure your device’s Secure Boot configuration can accept new certificates.
- Review the KB articles and blog post listed below.
- Get familiar with the update paths available:
- Opt in to Microsoft-managed updates by enabling diagnostic data and setting the registry key MicrosoftUpdateManagedOptIn.
- Follow manual update steps for DB and KEK using published Microsoft guidance.
- Plan for future partially automated solutions that Microsoft will release to support self-service deployments.
Additional information:
- Read Act now: Secure Boot certificates expire in June 2026.
- Bookmark the Secure Boot certificate rollout landing page.
- Consult guidance for Windows devices for businesses and organizations with IT-managed updates.
- For unmanaged scenarios, see Windows devices for home users, businesses, and schools with Microsoft-managed updates.
- Follow guidance in Windows 11 and Secure Boot to check if it’s enabled.
- Check OEM guidance in Windows Secure Boot Key Creation and Management Guidance
- Get additional technical guidance at Updating Microsoft Secure Boot keys.