Plan for Change: Windows Secure Boot certificates expiring in June 2026

Windows 2011 Secure Boot certificates expire in June 2026. Devices must update to new 2023 certificates to maintain early boot security protections. Use Intune to enable Secure Boot certificate updates via device configuration profiles to ensure continued protection against boot-level threats.

Starting in June 2026, the Windows 2011 Secure Boot certificates will expire. To maintain protection against new boot-level threats, devices need to be updated to new certificates issued in 2023.

[How this will affect your organization:]

If the Secure Boot certificates expire without being updated, the device will still start and run normally and continue receiving standard Windows updates, but any new security protections for the early boot process cannot be applied once the certificates expire.

You can use Intune to deploy on managed Windows clients, opt out of high-confidence buckets, and opt-in to Microsoft managing these updates by enabling the following settings in the Intune settings catalog:

• Configure Microsoft Update Managed Opt In
• Configure High Confidence Opt Out
• Enable Secureboot Certificate Updates

[What you need to do to prepare:]

To manage Secure Boot certificate updates, enable the Secure Boot settings in your existing device configuration profile or create a new profile by following these steps:

1. In the Intune admin center Devices > under Manage devices, select Configuration.
2. Select Create and select New Policy.
3. For Platform select “Windows 10 and later” and “Settings Catalog” for the profile type.
4. Under Configuration settings, select Add settings. In the settings picker, search for Secure Boot.
5. Select the desired settings for your organization: Configure Microsoft Update Managed Opt In, Configure High Confidence Opt Out, and Enable Secureboot Certificate Updates.
6. Finish the profile for the devices that will use these settings.

For more detailed steps, review: Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates

[Additional information:]

• Windows Message center: How to use Microsoft Intune to update expiring Secure Boot certificates
• Secure Boot playbook for certificates expiring in 2026 | Windows IT Pro Blog
• Frequently asked questions about the Secure Boot update process | Microsoft Support
• Secure Boot Certificate updates: Guidance for IT professionals and organizations | Microsoft Support
• When Secure Boot certificates expire on Windows devices | Microsoft Support
• Monitoring Secure Boot certificate status with Microsoft Intune remediations | Microsoft Support
• Secure Boot status report in Windows Autopatch | Microsoft Learn