Skip to Content

MC1248382: Windows Secure Boot certificates expiring in June 2026

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1248382: Windows Secure Boot certificates expiring in June 2026

Summary

  • Windows 2011 Secure Boot certificates will expire, requiring updates to new certificates issued in 2023 for ongoing security.
  • Devices will still function normally but will not receive new boot-level security protections without updated certificates.
  • Intune can be used to manage and deploy Secure Boot certificate updates on Windows clients.
  • Administrators should enable specific settings in Intune to manage updates effectively.
  • Detailed guidance and resources are available to assist with the update process and management.

Admin Impact: High
User Impact: Low
Release Start: 01 Jun 2026
Release End: 01 Jun 2026
Services: Intune, Windows
Category: Plan for change
Tags: Admin Action

History

3/10/2026 Item Added to Message Center

Microsoft Message

Starting in June 2026, the Windows 2011 Secure Boot certificates will expire. To maintain protection against new boot-level threats, devices need to be updated to new certificates issued in 2023.

How this will affect your organization

If the Secure Boot certificates expire without being updated, the device will still start and run normally and continue receiving standard Windows updates, but any new security protections for the early boot process cannot be applied once the certificates expire.

You can use Intune to deploy on managed Windows clients, opt out of high-confidence buckets, and opt-in to Microsoft managing these updates by enabling the following settings in the Intune settings catalog:

  • Configure Microsoft Update Managed Opt In
  • Configure High Confidence Opt Out
  • Enable Secureboot Certificate Updates

What you need to do to prepare

To manage Secure Boot certificate updates, enable the Secure Boot settings in your existing device configuration profile or create a new profile by following these steps:

  1. In the Intune admin center Devices > under Manage devices, select Configuration.
  2. Select Create and select New Policy.
  3. For Platform select “Windows 10 and later” and “Settings Catalog” for the profile type.
  4. Under Configuration settings, select Add settings. In the settings picker, search for Secure Boot.
  5. Select the desired settings for your organization: Configure Microsoft Update Managed Opt In, Configure High Confidence Opt Out, and Enable Secureboot Certificate Updates.
  6. Finish the profile for the devices that will use these settings.

For more detailed steps, review: Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates

Additional information

  • Windows Message center: How to use Microsoft Intune to update expiring Secure Boot certificates
  • Secure Boot playbook for certificates expiring in 2026 | Windows IT Pro Blog
  • Frequently asked questions about the Secure Boot update process | Microsoft Support
  • Secure Boot Certificate updates: Guidance for IT professionals and organizations | Microsoft Support
  • When Secure Boot certificates expire on Windows devices | Microsoft Support
  • Monitoring Secure Boot certificate status with Microsoft Intune remediations | Microsoft Support
  • Secure Boot status report in Windows Autopatch | Microsoft Learn