Microsoft Secure Score: New recommendation for Secure Boot 2023 certificate readiness in Microsoft Defender for Endpoint

Microsoft Defender for Endpoint will add a new Secure Score recommendation in late April 2026 to help organizations prepare for Secure Boot 2023 certificate updates replacing expiring certificates in June 2026. It provides visibility into device readiness, tracks progress, and is enabled by default.

[Introduction]

We’re introducing a new Microsoft Secure Score recommendation in Microsoft Defender for Endpoint (MDE) to help organizations assess and prepare for the transition to Secure Boot 2023 certificates. Secure Boot 2023 certificates replace older certificates (such as Windows UEFI CA 2011) that are scheduled to expire in June 2026, helping ensure devices continue to boot securely and receive future protections. This recommendation improves visibility into device readiness and helps organizations maintain a trusted and secure boot process.

[When this will happen:]

• Public Preview (Worldwide): We will begin rolling out in late April 2026 and expect to complete by early May 2026.
• General Availability (Worldwide): We will begin rolling out in early May 2026 and expect to complete by late May 2026.

[How this affects your organization:]

Who is affected:

• Admins managing Microsoft Defender for Endpoint and Microsoft Secure Score

What will happen:

• A new Secure Score recommendation will appear:
• Ensure devices are updated to Secure Boot 2023 certificates and boot manager.
• Provides visibility into device readiness for Secure Boot updates.
• Identifies devices that have not deployed:
• Windows UEFI CA 2023 certificates
• 2023-signed boot manager
• Secure Score will reflect progress toward implementing this recommendation.
• Feature is on by default and requires no configuration to appear.
• This recommendation helps track readiness for replacing expiring Secure Boot certificates (for example, Windows UEFI CA 2011).

Why this matters:

• Windows Secure Boot certificates are scheduled to expire in June 2026
• Devices not updated may not receive future protections for the early boot process
• This recommendation helps maintain a trusted and secure boot chain

[What you can do to prepare:]

• Review the new recommendation in Microsoft Secure Score once available.
• Identify devices requiring Secure Boot certificate updates.
• Follow deployment guidance to update Secure Boot certificates and boot manager: Windows Secure Boot certificate expiration and CA updates | Microsoft Support.
  
• Coordinate with infrastructure and platform teams responsible for device and firmware updates.
• Learn more about Secure Boot updates in MDE: Assess Secure Boot status with Microsoft Defender.

[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.