New resources to help organizations prepare for Secure Boot certificate expirations

Originally posted by Microsoft Mar 27, 2026 Uncategorized 0 Comments

Secure Boot certificates begin expiring in June 2026, and IT admins should take action now to help ensure devices remain secure. Timely deployment of updated certificates is essential to preserving device startup integrity and avoiding servicing (i.e., updates) disruptions.

New guidance has recently been published to support a range of deployment scenarios. Whether your organization manages certificates through Microsoft Intune, Group Policy, or manual processes, the resources below provide detailed steps, recommended practices, and troubleshooting guidance to help you plan your updates:
  • Updates and announcements – This page consolidates ongoing updates, milestones, and rollout status changes for the deployment of new Secure Boot certificates across Windows devices. Use it to stay current on important servicing communications as the deployment progresses.
  • Sample Secure Boot E2E Automation Guide – This guide provides an end-to-end view of the PowerShell‑based automation system for deploying Secure Boot certificate updates using Group Policy to domain-joined machines in a controlled, graduated manner. It includes details, examples, and operational guidance for domain‑joined environments.
  • A Closer Look at the High Confidence Database – This article explains how Secure Boot confidence levels are calculated, how data is evaluated and published, and how Windows servicing uses this information to determine certificate deployment readiness. It’s designed for IT pros, security teams, and support engineers who need deeper insights into certificate evaluation.
When will this happen:
These resources are available now. IT admins should begin reviewing the new guidance and complete certificate update planning and deployment activities as soon as possible to ensure devices remain protected and to avoid servicing or startup disruptions. Secure Boot certificate expiration begins in June 2026.

How will this affect your organization:
Devices that do not receive the updated Secure Boot certificates before expiration may encounter startup integrity issues or Windows servicing interruptions. The new resources provide guidance for organizations using Microsoft Intune, Group Policy, or manual processes and help ensure devices are fully prepared for upcoming certificate changes.

What you need to do to prepare:
Begin developing and executing your Secure Boot certificate update strategy as soon as possible. Review the newly published resources to determine the best approach for your organization. These new resources provide detailed steps, recommended practices, and insights to support planning, automation, and certificate update readiness.
Additional Information:

Message ID: MC1262523

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

Trending Posts

%d bloggers like this: