Secure Boot is a foundational Windows security feature that runs at startup, before Windows load, and helps ensure that only trusted, digitally signed software can execute. After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle and begin expiring in late June 2026.
To learn more about Microsoft’s effort to update these certificates, see the blog post Refreshing the root of trust: industry collaboration on Secure Boot certificate updates. To prevent disruption and maintain secure startup across Windows environments, plan for these certificates update following the guidance in the Secure Boot playbook.
When this will happen:
The 2011 Secure Boot certificates begin expiring in June 2026.
What you need to do to prepare:
Review the Secure Boot playbook for certificates expiring in 2026 to understand requirements, timelines, and supported scenarios. Additionally, bookmark https://aka.ms/GetSecureBoot for more information about this change, OEMs guidance, and answers to frequently asked questions.
Additional technical resources:
- If you use Microsoft Intune, read Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates.
- Compare this method to Registry key updates for Secure Boot: Windows devices with IT-managed updates.
- Check out the option Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates.
- See how these methods work together in Secure Boot playbook for certificates expiring in 2026.
