MC1173103: Secure Boot certificate deployment guide and tools

Home » Microsoft » MC1173103: Secure Boot certificate deployment guide and tools

Table of Contents

Summary
History
Microsoft Message
When will this happen
How this will affect your organization
What you need to do to prepare
Additional information

Summary

A guide and tools are now available to update expiring Secure Boot certificates to 2023 CAs to prevent malware during startup.
Devices manufactured before 2012 need updates to use these new certificates.
Organizations can allow automatic updates via Windows monthly updates or choose to manually deploy the updates.
Resources include a deployment playbook, new registry keys, Windows Event Log, and WinCS APIs for monitoring and troubleshooting.
Bookmark the relevant Microsoft support pages for ongoing information about Secure Boot certificate updates.

Admin Impact: Medium
User Impact: Low
Release Start: 01 Oct 2025
Release End: 01 Jun 2026
Services: Windows
Category: Prevent or fix issues
Tags: Admin Action

History

10/15/2025 Item Added to Message Center

Microsoft Message

Use the newly published guide and tools to start updating your organization’s expiring Secure Boot certificates. As the 2011 certificate authorities (CAs) start expiring in June 2026, 2023 CAs are required. Updated CAs allow Secure Boot to continue preventing malware early in the startup sequence. New resources are available for you to start monitoring, deploying, and troubleshooting Secure Boot CAs. These include the deployment playbook, new registry keys, Windows Event Log, and Windows Configuration System (WinCS) APIs.

When will this happen

The deployment guide, new registry keys, and WinCS are available today.
The 2023 Secure Boot CAs are rolling out gradually as part of Windows monthly updates starting with the October 2025 security update.
Additional tools will be available soon.
The 2011 CAs start expiring beginning in June 2026.

How this will affect your organization

Devices manufactured before 2012 and those that don’t already have new certificates need to be updated with the 2023 CAs. We recommend taking measures well before the 2011 CAs start expiring.

What you need to do to prepare

If your organization sends diagnostic data and lets Microsoft manage your updates, your devices will automatically get updated CAs with the monthly Windows updates. You can also opt in to let Microsoft determine high-confidence devices that will get these CAs first.

If you prefer to deploy these CAs yourself, follow the deployment playbook to monitor, deploy, and troubleshoot Secure Boot updates. You can use new registry keys, Windows Event Log, and WinCS to do so.

Additional information

Find the deployment playbook in the updated Secure Boot certificate updates: Guidance for IT professionals and organizations.
Learn how to use new registry keys to monitor, deploy, and troubleshoot Secure Boot CAs.
Learn how to use new Windows Configuration System (WinCS) APIs to deploy Secure Boot CAs.
Learn how to use Windows Event Log to monitor Secure Boot CA updates.
Bookmark Windows Secure Boot certificate expiration and CA updates as the landing page to the most up-to-date information.