MC1104112: Act now: Secure Boot certificates expire in June 2026

In the coming months, Microsoft will be rolling out updated Secure Boot certificates needed to ensure a secure startup environment of Windows. Current certificates will start expiring in June 2026 on all Windows systems released since 2012, except for 2025 Copilot+ PCs. This also affects third-party operating systems. Start by checking on the latest available firmware from original equipment manufacturers (OEMs) and enabling Windows diagnostic data. Visit the Secure Boot certificate rollout landing page for guidance for personal devices and IT-managed systems.   When will this happen: 

• In the coming months, the following updated certificates will be rolling out: Microsoft Corporation KEK 2K CA 2023, Microsoft Corporation UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, Windows UEFI CA 2023 
• June 2026, the following certificates will expire: Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA) 
• October 2026, the following certificate will expire: Microsoft Windows Production PCA 2011 

 How this will affect your organization: Most supported Windows systems released since 2012, including the long-term servicing channel (LTSC), are affected. Not affected are Copilot+ PCs released in 2025. Affected third-party OS includes MacOS. However, it’s outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on. Unless prepared, affected physical and virtual machine (VM) devices will: 

• Lose ability to install Secure Boot security updates after June 2026. 
• Not trust third-party software signed with new certificates after June 2026. 
• Not receive security fixes for Windows boot manager by October 2026. 

What you need to do to prepare: First, check on the latest available firmware from original equipment manufacturers (OEMs). Then, allow Microsoft to manage Windows updates, including Secure Boot updates: 

1. Configure your organizational policies to allow at least the “required” level of diagnostic data. 
2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key: 
3. Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot 
4. Key name: MicrosoftUpdateManagedOptIn 
5. Type: DWORD 
6. DWORD value: 0x5944 (opt in to Windows Secure Boot updates)  

If you prefer not to enable diagnostic data, please take this anonymous readiness survey.  Additional information: 

• Read Act now. Secure Boot certificates expire in June 2026. 
• Bookmark Secure Boot certificate rollout landing page. 
• Consult guidance for Windows devices for businesses and organizations with IT-managed updates. 
• For unmanaged scenarios, see Windows devices for home users, businesses, and schools with Microsoft-managed updates.  
• Follow guidance in Windows 11 and Secure Boot to check if it’s enabled.  
• Get additional technical guidance at Updating Microsoft Secure Boot keys.