MC1185931 – Secure Boot playbook for certificates expiring in 2026

Product:

Intune, Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Secure Boot helps ensure that only trusted software runs during the boot sequence. It uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. After 15 years, the Secure Boot certificates that are part of many Windows systems will start expiring in June 2026. These certificates were originally issued in 2011. Many Windows PCs manufactured since 2024 already have updated (2023) certificates. For the remaining devices, we recommend that you start monitoring the progress of certificate updates today as well as prepare for and install new certificates on devices that aren't automatically getting them through Windows updates. An initial set of tools and guidance is now available to support you in this effort.

When will this happen:
While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates-with original equipment manufacturers (OEMs) offering firmware updates to help ensure compatibility-you can proactively install the 2023 CAs before the 2011 CAs start expiring in June of 2026.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-11-14

updated:
2025-11-14

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Certificate Expiration
If the Secure Boot certificates expire without prior updates, devices may fail to boot or operate securely, leading to potential downtime.
   - roles: IT Administrator, End User
   - references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Increased Support Calls
Users may experience issues with booting or system integrity, resulting in a surge of support calls to IT, straining resources.
   - roles: Help Desk Support, IT Administrator
   - references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Security Vulnerabilities
Without updated certificates, systems may become vulnerable to unauthorized software, increasing the risk of security breaches.
   - roles: Security Officer, IT Administrator
   - references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Compliance Issues
Failure to update Secure Boot certificates may lead to non-compliance with security standards, affecting audits and certifications.
   - roles: Compliance Officer, IT Administrator
   - references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

User Experience Degradation
Users may face interruptions in their workflow due to system failures or security prompts, leading to frustration and decreased productivity.
   - roles: End User, IT Administrator
   - references: https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Automated Monitoring for Secure Boot Status
Implementing automated monitoring tools to regularly check the Secure Boot status of devices will help ensure that all systems are compliant and secure before the 2026 deadline. This proactive approach reduces the risk of non-compliance and potential security vulnerabilities.
   - next-steps: Research and select monitoring tools that integrate with existing IT infrastructure. Set up alerts for devices that are not compliant and schedule regular audits.
   - roles: IT Administrators, Security Officers, Compliance Managers
   - references: https://aka.ms/GetSecureBoot, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Streamlined Certificate Deployment Process
Developing a streamlined process for deploying the new Secure Boot certificates using tools like Microsoft Intune can significantly reduce the administrative burden and ensure that all devices are updated efficiently.
   - next-steps: Create a project plan for integrating Intune into the certificate deployment process. Train IT staff on the new procedures and establish a timeline for implementation.
   - roles: IT Administrators, System Engineers, Project Managers
   - references: https://aka.ms/GetSecureBoot, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

OEM Firmware Update Coordination
Establishing a coordinated approach to apply OEM firmware updates before Microsoft updates can help ensure compatibility and security across all devices, minimizing downtime and user disruption.
   - next-steps: Communicate with OEMs to understand their update schedules. Develop a timeline for applying firmware updates and integrate this into the IT maintenance schedule.
   - roles: IT Administrators, Operations Managers, Device Management Teams
   - references: https://aka.ms/GetSecureBoot, https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only