Learn about tools and options available to organizations to update Secure Boot certificates on Windows Server. Certificates begin expiring in June 2026. You must update them before that date to help keep your security posture. Many recent platforms already include the supported 2023 certificates in firmware. However, for the ones that need to be updated, you need to manage this process manually.
When will this happen:
- The tools are already available to help you to proactively inventory, monitor, and apply updated certificates to your Windows Server devices.
- June 2026: The 2011 Secure Boot certificate authorities (CAs) begin expiring.
How this will affect your organization:
Systems on the 2011 CAs after June 2026 are at risk of running on degraded security posture. To update these systems, please be proactive and follow our recommended approach.
What you need to do to prepare:
Read complete guidance in Additional information for details on how to:
- Inventory and prepare your environment.
- Monitor and check your devices for Secure Boot status.
- Apply any needed OEM firmware updates before updating certificates.
- Plan and pilot Secure Boot certificate deployments.
- Troubleshoot issues.
Additional information:
- Get started today with the recommended approach in Windows Server Secure Boot playbook for certificates expiring in 2026.
- Prepare your servers for Secure Boot certificate updates.
- Join the online event Secure Boot certificate updates explained - Microsoft Technical Takeoff on March 9, 2026.
- To manage Secure Boot certificate updates on Windows client, see Secure Boot playbook for certificates expiring in 2026.
- For the latest information, bookmark https://aka.ms/GetSecureBoot as your landing page for resources to help you with Windows Secure Boot certificate updates.