Secure Boot playbook for certificates expiring in 2026

Secure Boot helps ensure that only trusted software runs during the boot sequence. It uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. After 15 years, the Secure Boot certificates that are part of many Windows systems will start expiring in June 2026. These certificates were originally issued in 2011. Many Windows PCs manufactured since 2024 already have updated (2023) certificates. For the remaining devices, we recommend that you start monitoring the progress of certificate updates today as well as prepare for and install new certificates on devices that aren’t automatically getting them through Windows updates. An initial set of tools and guidance is now available to support you in this effort.   When will this happen: While Microsoft will deliver the new 2023 Secure Boot certificates through Windows monthly updates—with original equipment manufacturers (OEMs) offering firmware updates to help ensure compatibility—you can proactively install the 2023 CAs before the 2011 CAs start expiring in June of 2026.   What you need to do to prepare: Read the Secure Boot playbook for certificates expiring in 2026 for steps you can take today to help ensure your devices stay protected after June 2026. Specifically, you can now: Inventory and prepare your environments for this change. Monitor and check your devices for Secure Boot status. Apply OEM firmware updates before Microsoft updates. Plan and pilot your Secure Boot certificate deployments. Use available tools to troubleshoot and remediate common issues. If you’d like to deploy the new Secure Boot certificates yourself today, you can utilize registry keys, WinCS, or Group Policy. Soon, you’ll be able to use scalable MDM solutions, such as Microsoft Intune. We will provide an update when this method is available.   Additional information: Bookmark https://aka.ms/GetSecureBoot for more information about this change, detailed guidance for managing Secure Boot certificate update, and answers to frequently asked questions. Message ID: MC1185931

The post Secure Boot playbook for certificates expiring in 2026 appeared first on M365 Admin.