Skip to Content

MC1237599: Windows Server Secure Boot playbook for certificates expiring in 2026

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1237599: Windows Server Secure Boot playbook for certificates expiring in 2026

Summary

  • Update Secure Boot certificates on Windows Server as the 2011 certificates will expire, affecting security posture.
  • Tools are available to help inventory, monitor, and apply updated certificates.
  • Follow recommended steps to inventory your environment and check Secure Boot status.
  • Apply necessary OEM firmware updates before updating certificates.
  • Access resources for guidance on managing Secure Boot certificate updates.

Admin Impact: High
User Impact: Low
Release Start: 01 Jun 2026
Release End: 01 Jun 2026
Services: WindowsServer
Category: Stay informed
Tags: Admin Action

History

2/24/2026 Item Added to Message Center

Microsoft Message

Learn about tools and options available to organizations to update Secure Boot certificates on Windows Server. Certificates begin expiring in June 2026. You must update them before that date to help keep your security posture. Many recent platforms already include the supported 2023 certificates in firmware. However, for the ones that need to be updated, you need to manage this process manually.

When will this happen

  • The tools are already available to help you to proactively inventory, monitor, and apply updated certificates to your Windows Server devices.
  • June 2026: The 2011 Secure Boot certificate authorities (CAs) begin expiring.

How this will affect your organization

Systems on the 2011 CAs after June 2026 are at risk of running on degraded security posture. To update these systems, please be proactive and follow our recommended approach.

What you need to do to prepare

Read complete guidance in Additional information for details on how to:

  1. Inventory and prepare your environment.
  2. Monitor and check your devices for Secure Boot status.
  3. Apply any needed OEM firmware updates before updating certificates.
  4. Plan and pilot Secure Boot certificate deployments.
  5. Troubleshoot issues.

Additional information

  • Get started today with the recommended approach in Windows Server Secure Boot playbook for certificates expiring in 2026.
  • Prepare your servers for Secure Boot certificate updates.
  • Join the online event Secure Boot certificate updates explained – Microsoft Technical Takeoff on March 9, 2026.
  • To manage Secure Boot certificate updates on Windows client, see Secure Boot playbook for certificates expiring in 2026.
  • For the latest information, bookmark https://aka.ms/GetSecureBoot as your landing page for resources to help you with Windows Secure Boot certificate updates.