What and why:
Many individuals and organizations have already successfully updated certificates for client devices, servers, and virtual machines, with others close behind. However close you are, finishing Secure Boot certificate deployment remains important. If you're still on this path, stay the course. Read about the proven best practices and the resources already available to you, as well as a few more opportunities to ask questions.
Rollout schedule:
- June 24, 2026 – Secure Boot certificates start expiring, beginning with Microsoft Corporation KEK CA 2011 certificate.
- July 1 – Windows Server Secure Boot AMA
- July 8 – Secure Boot Office Hours for virtualized environments
- July 15 – OEM Secure Boot Office Hours
Impact on your organization:
If you are still in the process of updating Secure Boot certificates or validating updates in your organization, there are resources that can help. Focus on progress over perfection. Each step forward helps strengthen your environment’s platform root of trust.
Devices with older certificates will continue to function and receive updates, giving you time to complete deployment. Completing this transition helps ensure that your devices stay current with evolving Secure Boot protections.
Action required/recommendations:
What we’ve seen consistently is that success comes from staying the course:
- Keep your devices up to date with the latest Windows updates.
- Check that the latest firmware version is installed. You can visit your OEM’s support page or use their official support channels.
- Continue with your phased rollout. Gradual deployment of certificates, boot managers, and updated OEM firmware, along with validation, remains the most reliable approach.
- Use the tools available to you. Whether built into Windows, such as the Windows Security app, or designed for IT-managed environments, these tools help you monitor progress and make informed decisions.
Read Best practices for deploying Secure Boot certificate updates for a list of resources to support your next steps.
Compliance considerations:
- No compliance considerations are identified. Review as appropriate for your organization.