MC1253743 Action required: Secure Boot certificate updates for Windows 365 Cloud PCs before June 2026

Home » Update » MC1253743 Action required: Secure Boot certificate updates for Windows 365 Cloud PCs before June 2026

Table of Contents

Summary
History
Microsoft Message
How this will affect your organization
What you need to do to prepare
Additional Information
Compliance considerations

Summary

Windows 365 Cloud PCs with Secure Boot enabled must transition to Secure Boot 2023 certificates.
Using expired 2011 certificates may lead to decreased protection against boot-level malware and inability to validate newer boot components.
Cloud PCs without Secure Boot enabled are not affected by this change.
IT administrators should ensure Secure Boot remains enabled and required updates are applied before the deadline.
Microsoft provides resources and guidance for updating Secure Boot certificates and IT professionals.

Admin Impact: High
User Impact: Low
Release Start: 01 Jun 2026
Release End: 01 Jun 2026
Services: Windows 365
Category: Plan for change
Tags: Admin Action

History

3/16/2026 Item Added to Message Center

Microsoft Message

Beginning in June 2026, the Secure Boot 2011 certificate authorities (CAs) will expire. To maintain Secure Boot protection and compatibility, Windows 365 Cloud PCs that have Secure Boot enabled must transition to the Secure Boot 2023 certificates before June 2026.

Secure Boot helps protect Cloud PCs during startup by ensuring that only trusted bootloaders and software are allowed to run.

How this will affect your organization

This change applies to Windows 365 Cloud PCs configured with Secure Boot enabled.

If affected Cloud PCs continue relying on the 2011 certificates after June 2026, they may:

Experience reduced protection against boot-level malware.
Be unable to validate newer signed boot components released after June 2026.

Cloud PCs without Secure Boot enabled are not impacted.

What you need to do to prepare

Microsoft has released the Secure Boot 2023 certificates through supported update mechanisms.

If your Cloud PCs do not use Secure Boot:

No action is required.

If your Cloud PCs are Generation 2 with Secure Boot enabled:

Ensure Secure Boot remains enabled.
Confirm that required updates are applied before June 2026.

For an overview of what happens when Secure Boot certificates expire, see the Microsoft documentation here.

Additional Information

Review the Secure Boot certificate guidance and update your Windows 365 Cloud PCs as needed before June 2026:

Secure Boot certificate updates for Windows 365: https://aka.ms/securebootW365
Guidance for IT professionals and organizations: https://aka.ms/securebootITpro
New Secure Boot certificates overview: https://aka.ms/getsecureboot
Monitoring and deployment guidance: https://aka.ms/securebootplaybook
Secure Boot FAQ: https://aka.ms/securebootFAQ

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.