Microsoft Tips & Tricks Android Apple Artificial Intelligence M365 Message Centre
Microsoft

Secure Boot 2026 Certificate Expiry: What IT Admins Must Do Now

By Zee 03 May 2026

Secure Boot 2026 Certificate Expiry: What IT Admins Must Do Now

Secure Boot has quietly protected Windows devices for over a decade. It sits at the firmware layer and ensures only trusted, signed components are allowed to load before Windows starts.

Most organisations never think about it.

Until 2026.

From late June 2026 onward, older Microsoft Secure Boot certificates issued in 2011 begin expiring. If your estate has not transitioned to the newer 2023 certificates, you risk losing future Secure Boot servicing support and potentially weakening platform trust protections.

This is not a panic moment. It is a planning moment.

What Is Actually Expiring?

Secure Boot relies on certificate authorities stored inside UEFI firmware. These certificates validate:

  • Windows Boot Manager
  • Bootloaders
  • Early startup components
  • Certain firmware-level trust relationships

Many devices still trust the “Windows UEFI CA 2011” certificate.

Microsoft has introduced updated certificates, including “Windows UEFI CA 2023,” which extend trust beyond 2026.

Devices must receive these updated entries before the older ones expire.

If they do not:

  • Future Secure Boot updates may fail
  • Some systems could enter degraded trust states
  • High security environments may experience compliance issues
  • Edge cases could trigger BitLocker recovery scenarios

For most fully patched environments, this will happen automatically.

For controlled or legacy estates, it might not.

Who Needs to Act First?

You should prioritise action if you have:

  • Devices with long Windows Update deferrals
  • Offline or semi-managed endpoints
  • Older hardware models
  • Strict Secure Boot or BitLocker compliance requirements
  • WSUS-only estates without consistent quality updates

If your environment is fully modern, on Windows 11, and receiving monthly updates via Intune or Autopatch, you are likely already progressing toward compliance.

Still, verify.

Recommended Enterprise Approach

Keep this simple.

  1. Ensure monthly Windows quality updates are being applied consistently.
  2. Keep OEM BIOS and UEFI firmware current on supported models.
  3. Detect presence of “Windows UEFI CA 2023” across the fleet.
  4. Pilot across major hardware models before broad rollout.

This is not a “flip a switch” situation. It is a verification exercise.

Intune Proactive Remediation – Detection Script

This detection script checks:

  • Secure Boot is enabled
  • The Secure Boot database contains the 2023 certificate

Exit code 0 = compliant
Exit code 1 = non-compliant

# Detection: Secure Boot CA 2023 presence
# Exit 0 = compliant
# Exit 1 = non-compliant

$ErrorActionPreference = "Stop"

try {
    if (-not (Confirm-SecureBootUEFI -ErrorAction SilentlyContinue)) {
        Write-Output "Secure Boot not enabled or device not UEFI."
        exit 1
    }

    $dbBytes = (Get-SecureBootUEFI -Name db -ErrorAction Stop).Bytes
    $dbText  = [System.Text.Encoding]::ASCII.GetString($dbBytes)

    if ($dbText -match "Windows UEFI CA 2023") {
        Write-Output "Compliant: Windows UEFI CA 2023 found."
        exit 0
    } else {
        Write-Output "Non-compliant: Windows UEFI CA 2023 NOT found."
        exit 1
    }
}
catch {
    Write-Output "Detection error: $($_.Exception.Message)"
    exit 1
}
Deploy via:

Intune Admin Center
Devices → Remediations → Create Script Package
Run as System
Pilot first

Intune Proactive Remediation – Remediation Script

There is no safe universal command that directly modifies UEFI variables across all OEM hardware.

The correct enterprise approach is:

  • Trigger Windows Update
  • Ensure required security updates install
  • Reboot when appropriate

Example remediation script: