check before: 2025-07-08
Product:
Copilot, Windows
Platform:
Linux, Mac, Online, Windows Desktop, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Updated July 8, 2025: survey link changed
In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. Current certificates will start expiring in June 2026 on all Windows systems released since 2012, except for 2025 Copilot+ PCs. This also affects third-party operating systems. Start by checking on the latest available firmware from original equipment manufacturers (OEMs) and enabling Windows diagnostic data. Visit the Secure Boot certificate rollout landing page for guidance for personal devices and IT-managed systems.
When will this happen:
In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023
June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)
October 2026, the following certificate will expire: Microsoft Windows Production PCA 2011
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-27
updated:
2025-07-09
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is updating Secure Boot certificates, which will expire in June 2026, requiring users to update their systems to maintain security and compatibility with new software.
Direct effects for Operations**
Loss of Secure Boot Updates
Devices will lose the ability to install Secure Boot security updates after June 2026, leading to potential vulnerabilities.
- roles: System Administrators, IT Support Staff
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Trust Issues with Third-Party Software
Devices will not trust third-party software signed with new certificates after June 2026, affecting software installations and updates.
- roles: End Users, System Administrators
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Security Fixes for Boot Manager
Devices will not receive security fixes for Windows boot manager by October 2026, increasing the risk of security breaches.
- roles: System Administrators, IT Security Officers
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Firmware Update Requirements
Failure to check for the latest firmware from OEMs may lead to compatibility issues with the new Secure Boot certificates.
- roles: System Administrators, IT Support Staff
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Diagnostic Data Configuration
Not configuring organizational policies to allow diagnostic data may hinder the management of Secure Boot-related updates.
- roles: IT Managers, System Administrators
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Streamlined Firmware Update Process
Implementing a centralized firmware management solution can ensure that all devices are running the latest firmware from OEMs, reducing vulnerabilities associated with outdated Secure Boot certificates.
- next-steps: Research and evaluate centralized firmware management tools that integrate with existing IT infrastructure. Develop a rollout plan for implementation across all devices.
- roles: IT Administrators, Security Officers, System Engineers
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856, https://support.microsoft.com/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad
Enhanced Diagnostic Data Management
By allowing Microsoft to manage Windows updates and diagnostic data, organizations can ensure timely updates for Secure Boot, minimizing the risk of security breaches due to expired certificates.
- next-steps: Create a policy document outlining the benefits of enabling Microsoft-managed updates and diagnostic data. Communicate this to stakeholders and gain approval for implementation.
- roles: IT Managers, Compliance Officers, Security Analysts
- references: https://aka.ms/getsecureboot, https://support.microsoft.com/topic/29bfd847-5855-49f1-bb94-e18497fe2315
User Training and Awareness Programs
Educating users about the importance of Secure Boot and the implications of expired certificates can enhance security posture and compliance with IT policies.
- next-steps: Develop training materials focused on Secure Boot, including its significance and how users can verify their systems. Schedule training sessions and distribute materials to all employees.
- roles: Training Coordinators, IT Support Staff, Security Officers
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324, https://support.microsoft.com/topic/e2b43f9f-b424-42df-bc6a-8476db65ab2f
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-07-09 | MC prepare | First, check on the latest available firmware from original equipment manufacturers (OEMs). Then, allow Microsoft to manage Windows updates, including Secure Boot updates:
Configure your organizational policies to allow at least the "required" level of diagnostic data. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key: Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot Key name: MicrosoftUpdateManagedOptIn Type: DWORD DWORD value: 0x5944 (opt in to Windows Secure Boot updates) If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Additional information: Read Act now. Secure Boot certificates expire in June 2026. Bookmark Secure Boot certificate rollout landing page. Consult guidance for Windows devices for businesses and organizations with IT-managed updates. For unmanaged scenarios, see Windows devices for home users, businesses, and schools with Microsoft-managed updates. Follow guidance in Windows 11 and Secure Boot to check if it's enabled. Get additional technical guidance at Updating Microsoft Secure Boot keys. https://aka.ms/getsecureboot https://forms.office.com/r/dX5V1Crsi0 https://support.microsoft.com/topic/29bfd847-5855-49f1-bb94-e18497fe2315 https://support.microsoft.com/topic/e2b43f9f-b424-42df-bc6a-8476db65ab2f https://support.microsoft.com/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856 https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 | First, check on the latest available firmware from original equipment manufacturers (OEMs). Then, allow Microsoft to manage Windows updates, including Secure Boot updates:
Configure your organizational policies to allow at least the "required" level of diagnostic data. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key: Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot Key name: MicrosoftUpdateManagedOptIn Type: DWORD DWORD value: 0x5944 (opt in to Windows Secure Boot updates) If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Additional information: Read Act now. Secure Boot certificates expire in June 2026. Bookmark Secure Boot certificate rollout landing page. Consult guidance for Windows devices for businesses and organizations with IT-managed updates. For unmanaged scenarios, see Windows devices for home users, businesses, and schools with Microsoft-managed updates. Follow guidance in Windows 11 and Secure Boot to check if it's enabled. Get additional technical guidance at Updating Microsoft Secure Boot keys. https://aka.ms/getsecureboot https://aka.ms/SecureBootCA/ReadinessSurvey https://support.microsoft.com/topic/29bfd847-5855-49f1-bb94-e18497fe2315 https://support.microsoft.com/topic/e2b43f9f-b424-42df-bc6a-8476db65ab2f https://support.microsoft.com/windows/windows-11-and-secure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856 https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 |
| 2025-07-09 | MC Last Updated | 06/26/2025 19:21:08 | 2025-07-09T01:35:43Z |
| 2025-07-09 | MC Messages | In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. Current certificates will start expiring in June 2026 on all Windows systems released since 2012, except for 2025 Copilot+ PCs. This also affects third-party operating systems. Start by checking on the latest available firmware from original equipment manufacturers (OEMs) and enabling Windows diagnostic data. Visit the Secure Boot certificate rollout landing page for guidance for personal devices and IT-managed systems.
When will this happen: In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023 June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA) October 2026, the following certificate will expire: Microsoft Windows Production PCA 2011 | Updated July 8, 2025: survey link changed
In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. Current certificates will start expiring in June 2026 on all Windows systems released since 2012, except for 2025 Copilot+ PCs. This also affects third-party operating systems. Start by checking on the latest available firmware from original equipment manufacturers (OEMs) and enabling Windows diagnostic data. Visit the Secure Boot certificate rollout landing page for guidance for personal devices and IT-managed systems. When will this happen: In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023 June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA) October 2026, the following certificate will expire: Microsoft Windows Production PCA 2011 |
| 2025-07-09 | MC Start Time | 06/26/2025 19:21:07 | 2025-07-09T01:35:41Z |
| 2025-07-09 | MC Title | Act now: Secure Boot certificates expire in June 2026 | (Updated) Act now: Secure Boot certificates expire in June 2026 |
| 2025-07-09 | MC End Time | 06/26/2026 19:21:07 | 2026-07-09T01:35:41Z |
Last updated 4 days ago
