Secure Boot certificates in Windows systems will expire starting June 2026, risking system security and update continuity. IT admins must prepare by ensuring firmware updates from OEMs and allowing Microsoft to manage Secure Boot updates to maintain protection against boot-level malware threats. Unique :
Secure Boot Certificates Expire in June 2026: What IT Pros Need to Know
Heads up, tech enthusiasts and IT pros! Microsoft’s Secure Boot certificates, which protect Windows devices at startup, will expire starting June 2026. This update is massive and affects millions of Windows systems worldwide. Ignoring it could leave your devices vulnerable to boot-level malware and security risks.
What’s New: The Certificate Update You Can’t Miss
Secure Boot certificates are the cryptographic keys that verify your device’s firmware and bootloader integrity. After 15 years, the current Microsoft certificates will expire, requiring a global update. New certificates—like the Microsoft Corporation KEK 2K CA 2023 and Microsoft Corporation UEFI CA 2023—will replace the old ones to maintain trust.
“When these CAs expire, systems will stop receiving security fixes for Windows Boot Manager and Secure Boot components.” – Microsoft
This update impacts physical and virtual machines running Windows 10, Windows 11, and various Windows Server versions released since 201 Notably, Copilot+ PCs from 2025 are exempt.
Major Updates: Why This Matters for Your Security
Secure Boot prevents malware from running early in the startup process. Without updated certificates, your devices won’t trust new firmware or drivers, risking bootkit attacks like the infamous BlackLotus UEFI bootkit.
Microsoft warns that after June 2026, systems will:
- Stop installing Secure Boot security updates
- Fail to trust third-party software signed with new certificates
- Lose Windows Boot Manager security fixes by October 2026
“Bootkit malware can be difficult or impossible to detect with standard antivirus software.” – Microsoft
What IT Admins Should Do Now
Start preparing today by bookmarking the Secure Boot certificate rollout landing page and taking the readiness survey. Collaborate closely with your OEMs to apply firmware updates before installing new certificates.
If your organization lets Microsoft manage Windows updates and diagnostic data, you’re mostly set. Devices using Windows Autopatch or Configuration Manager will receive updates automatically.
For those who don’t send diagnostic data, enable it via Group Policy or MDM and set the registry key MicrosoftUpdateManagedOptIn to 0x5944. This opt-in ensures your devices get the necessary certificate updates smoothly.
Special Cases: Air-Gapped and Disabled Secure Boot Devices
Air-gapped systems won’t get automatic updates, so plan manual deployments carefully. Also, don’t disable Secure Boot, as toggling it can erase updated certificates and reset security settings.
Final Thoughts
This is one of the biggest Windows security updates in years. Staying ahead means keeping Secure Boot certificates current and ensuring your firmware is ready. As Microsoft puts it, “The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates.”
Don’t wait until 2026—start your Secure Boot certificate update journey now to keep your Windows devices secure and future-proof.
From the Windows IT Pro Blog articles
Windows Server Devices Now Recognized as a New OS in Intune Microsoft has announced that Windows Server devices are Read more
Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more
Microsoft has been named a Leader in the 2023 Gartner Magic Quadrant for Enterprise Low-Code Application Platforms. This recognition is Read more
Microsoft has released their plans for the 2023 Release Wave 1 for Dynamics 365 and Power Platform. This includes new Read more
