check before: 2026-06-01
Product:
Windows
Platform:
Online, Windows Desktop, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Secure Boot protects Windows systems by validating firmware and boot components using trusted certificates. Microsoft-issued certificates used in Secure Boot are expiring in 2026. In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. IT-managed environments must take action to ensure their systems remain secure and serviceable. This post outlines what enterprise IT admins need to know and do.
When will this happen:
Microsoft UEFI CA 2011 and Microsoft KEK CA 2011 expire in June 2026.
Microsoft Windows Production PCA 2011 expires in October 2026.
Microsoft is rolling out updated certificates now via Windows Update to home users, businesses, and schools with devices that have updates managed by Microsoft.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-08-22
updated:
2025-08-22
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Secure Boot Failure
Without updated certificates, Secure Boot-enabled systems may fail to receive future security updates, leading to potential vulnerabilities.
- roles: IT Administrator, Security Officer
- references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
Boot Component Validation Issues
Systems may be unable to validate new boot components, which can lead to system instability and operational disruptions.
- roles: IT Administrator, End User
- references: https://learn.microsoft.com/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
Increased Vulnerability Risk
The risk from boot-level vulnerabilities increases significantly without updated Secure Boot certificates, exposing systems to attacks.
- roles: Security Officer, IT Administrator
- references: https://support.microsoft.com/topic/windows-devices-for-businesses-and-organizations-with-it-managed-updates-e2b43f9f-b424-42df-bc6a-8476db65ab2f
Firmware Update Dependency
Failure to check with OEM for firmware updates may result in systems being unable to accept new certificates, leading to compliance issues.
- roles: IT Administrator, Compliance Officer
- references: https://support.microsoft.com/topic/e2b43f9f-b424-42df-bc6a-8476db65ab2f
Manual Update Challenges
Without preparation, IT admins may struggle with manual update processes for DB and KEK, causing delays in securing systems.
- roles: IT Administrator, Help Desk Support
- references: https://support.microsoft.com/topic/29bfd847-5855-49f1-bb94-e18497fe2315
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Secure Boot is like a security guard for your computer's startup process. It ensures that only trusted software can run when your computer boots up. This is done using special certificates, much like how a security guard checks IDs before letting someone into a building. These certificates are issued by Microsoft and are crucial for maintaining a secure startup environment.
However, just like IDs, these certificates have expiration dates. Some of the current Secure Boot certificates are set to expire in 2026. This means that, without action, systems might not be able to receive important security updates or could be more vulnerable to threats that occur during the boot process.
Microsoft is addressing this by rolling out updated certificates. Think of it as issuing new IDs to ensure that the security guard can continue to do their job effectively. These updates are being distributed through Windows Update, which is like sending the new IDs directly to everyone who needs them.
For IT-managed environments, it's important to ensure that systems are ready to accept these new certificates. This might involve checking with your device manufacturer for the latest firmware updates, which are like software updates for the security guard's ID scanner. Additionally, there are specific steps and settings that need to be followed to ensure a smooth transition to the new certificates.
For those who manage their own updates, there are manual steps available, and Microsoft is planning to release more automated solutions in the future. It's a bit like having the option to either renew your ID at a government office or wait for a more convenient online renewal process.
In summary, keeping your Secure Boot certificates up to date is essential for maintaining a secure and functional system. It's like ensuring that your security guard has the latest tools and credentials to keep your building safe. For more detailed guidance, Microsoft provides resources and support to help navigate this process.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 months ago ago
