MC1173103 – Secure Boot certificate deployment guide and tools

Product:

Office 365 general, Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Use the newly published guide and tools to start updating your organization's expiring Secure Boot certificates. As the 2011 certificate authorities (CAs) start expiring in June 2026, 2023 CAs are required. Updated CAs allow Secure Boot to continue preventing malware early in the startup sequence. New resources are available for you to start monitoring, deploying, and troubleshooting Secure Boot CAs. These include the deployment playbook, new registry keys, Windows Event Log, and Windows Configuration System (WinCS) APIs.

When will this happen:
The deployment guide, new registry keys, and WinCS are available today.
The 2023 Secure Boot CAs are rolling out gradually as part of Windows monthly updates starting with the October 2025 security update.
Additional tools will be available soon.
The 2011 CAs start expiring beginning in June 2026.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-10-15

updated:
2025-10-15

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Secure Boot Failure
If the new Secure Boot certificates are not deployed in time, devices may fail to boot, leading to downtime and loss of productivity.
   - roles: IT Administrator, End User
   - references: https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f

Increased Security Vulnerabilities
Failure to update to the 2023 CAs may leave systems vulnerable to malware attacks during the startup sequence, compromising organizational security.
   - roles: Security Officer, IT Administrator
   - references: https://support.microsoft.com/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

User Experience Degradation
Users may experience delays or issues during system startup if the Secure Boot certificates are not updated, leading to frustration and decreased productivity.
   - roles: End User, Help Desk Support
   - references: https://support.microsoft.com/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

Incompatibility with New Software
Without updated Secure Boot certificates, new software that relies on these certificates may fail to install or run, impacting business operations.
   - roles: Software Developer, IT Administrator
   - references: https://support.microsoft.com/topic/windows-configuration-system-wincs-apis-for-secure-boot-d3e64aa0-6095-4f8a-b8e4-fbfda254a8fe

Increased Support Tickets
Failure to prepare for the Secure Boot certificate updates may lead to a surge in support tickets from users experiencing issues, straining IT resources.
   - roles: Help Desk Support, IT Administrator
   - references: https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Monitoring and Troubleshooting Tools
Utilizing the new Windows Event Log and WinCS APIs will allow IT teams to monitor and troubleshoot Secure Boot CA updates more effectively. This can lead to quicker identification of issues and reduced downtime for users, enhancing overall user experience.
   - next-steps: Implement training sessions for IT staff on how to utilize the new monitoring tools effectively. Set up a centralized dashboard to track Secure Boot CA status across devices.
   - roles: IT Administrators, System Engineers, Helpdesk Support
   - references: https://support.microsoft.com/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e, https://support.microsoft.com/topic/windows-configuration-system-wincs-apis-for-secure-boot-d3e64aa0-6095-4f8a-b8e4-fbfda254a8fe

Proactive Deployment Strategy
By following the deployment playbook and opting for self-deployment of the 2023 Secure Boot CAs, organizations can ensure that all devices are updated before the expiration of the 2011 CAs. This proactive approach can minimize potential security risks and enhance device reliability.
   - next-steps: Create a project plan that includes timelines for assessing devices, deploying the new CAs, and testing the updates to ensure compatibility.
   - roles: IT Managers, Project Managers, Security Officers
   - references: https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f, https://support.microsoft.com/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

User Experience Improvement through Automated Updates
Allowing Microsoft to manage updates can streamline the process for users, reducing the need for manual intervention and ensuring that devices are always up-to-date with the latest Secure Boot CAs. This can enhance user satisfaction and reduce support calls related to update issues.
   - next-steps: Evaluate the current update management strategy and consider transitioning to a model where Microsoft manages updates for eligible devices. Communicate changes to users to ensure they understand the benefits.
   - roles: IT Support, End Users, Compliance Officers
   - references: https://support.microsoft.com/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e, https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only