MC1253743: Action required: Secure Boot certificate updates for Windows 365 Cloud PCs before June 2026

Beginning in June 2026, the Secure Boot 2011 certificate authorities (CAs) will expire. To maintain Secure Boot protection and compatibility, Windows 365 Cloud PCs that have Secure Boot enabled must transition to the Secure Boot 2023 certificates before June 2026.

Secure Boot helps protect Cloud PCs during startup by ensuring that only trusted bootloaders and software are allowed to run.

How this will affect your organization

This change applies to Windows 365 Cloud PCs configured with Secure Boot enabled.

If affected Cloud PCs continue relying on the 2011 certificates after June 2026, they may:

• Experience reduced protection against boot-level malware.
• Be unable to validate newer signed boot components released after June 2026.

Cloud PCs without Secure Boot enabled are not impacted.

What you need to do to prepare

Microsoft has released the Secure Boot 2023 certificates through supported update mechanisms.

If your Cloud PCs do not use Secure Boot:

• No action is required.

If your Cloud PCs are Generation 2 with Secure Boot enabled:

• Ensure Secure Boot remains enabled.
• Confirm that required updates are applied before June 2026.

For an overview of what happens when Secure Boot certificates expire, see the Microsoft documentation here.

Additional Information

Review the Secure Boot certificate guidance and update your Windows 365 Cloud PCs as needed before June 2026:

• Secure Boot certificate updates for Windows 365: https://aka.ms/securebootW365 
• Guidance for IT professionals and organizations: https://aka.ms/securebootITpro 
• New Secure Boot certificates overview: https://aka.ms/getsecureboot 
• Monitoring and deployment guidance: https://aka.ms/securebootplaybook 
• Secure Boot FAQ: https://aka.ms/securebootFAQ 

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.