Back to Announcements

Important **Action Required** – Windows Secure Boot Certificates

Announcements Arpan Das

01/04/2026 10:03:00 AM

Dear Local Administrator,

Microsoft has announced a planned rotation of Secure Boot certificates, starting from June 2026, which are used to protect the integrity of Windows during system startup on UEFI‑based devices.

Secure Boot is a core Windows security feature that ensures only trusted, signed components are allowed to run during the boot process. The certificates currently in use across the Windows ecosystem were introduced in 2011 and are now reaching end of life.

What is changing

Microsoft will replace several Secure Boot certificates with newer 2023 equivalents to maintain platform security:

  • June 2026
    • Microsoft Corporation KEK CA 2011 → Microsoft Corporation KEK 2K CA 2023
    • Microsoft Corporation UEFI CA 2011 → Microsoft Corporation UEFI CA 2023 / Microsoft Option ROM UEFI CA 2023
  • October 2026
    • Microsoft Windows Production PCA 2011 → Windows UEFI CA 2023

These certificates are used to validate:

  • Windows bootloaders and boot components
  • Third‑party operating systems and drivers
  • Firmware and option ROMs

Why this matters

Windows devices that do not receive the updated certificates may:

  • Lose the ability to apply Secure Boot security updates after June 2026
  • Fail to trust newly signed third‑party boot components
  • Stop receiving security fixes for Windows Boot Manager after October 2026

This creates a material security risk for affected devices.

What action is required from your organisation

This update is not remediated centrally by Live Service. Each organisation is responsible for ensuring their Windows devices receive the required updates.

Please review the following and take action as appropriate:

  • Organisations managing Windows updates via Intune
    • No additional action is required
  • Organisations using Intune but not managing Windows updates through Intune
    • You must ensure that your chosen update solution will deliver Secure Boot certificate updates before the 2026 expiry dates.
  • Organisations not using Intune for Windows device management
    • You must review and take appropriate action within your local device management and update processes to ensure Secure Boot certificate rotation is completed in line with Microsoft guidance.

Further information

Microsoft’s detailed technical guidance is available here:

Secure Boot certificate updates

 

 

back to top