Secure Boot playbook for certificates expiring in 2026

Secure Boot helps ensure that only trusted software runs during the boot sequence. It uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. After 15 years, the Secure Boot certificates that are part of many Windows systems will start expiring in June 2026. These certificates were originally issued in 2011. Many Windows PCs manufactured since 2024 already have updated (2023) certificates. For the remaining devices, we recommend that you start monitoring the progress of certificate updates today as well as prepare for and install new certificates on devices that aren’t automatically getting them through Windows updates. An initial set of tools and guidance is now available to support you in this effort.

 

While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with original equipment manufacturers (OEMs) offering firmware updates to help ensure compatibility—you can proactively install the 2023 CAs before the 2011 CAs start expiring in June of 2026.

 

Read the Secure Boot playbook for certificates expiring in 2026 for steps you can take today to help ensure your devices stay protected after June 2026. Specifically, you can now:

If you’d like to deploy the new Secure Boot certificates yourself today, you can utilize registry keys, WinCS, or Group Policy. Soon, you’ll be able to use scalable MDM solutions, such as Microsoft Intune. We will provide an update when this method is available.

 

Bookmark https://aka.ms/GetSecureBoot for more information about this change, detailed guidance for managing Secure Boot certificate update, and answers to frequently asked questions.