If you manage Windows devices, Secure Boot just moved from “nice to have” to “you really can’t ignore this anymore.”
Starting in 2026, older Secure Boot certificate authorities begin to expire, and Microsoft is rolling out new certificates, tools, and admin experiences to keep devices protected.
What’s happening with Secure Boot certificates?
Secure Boot relies on UEFI firmware and cryptographic keys (certificate authorities) to make sure only trusted firmware and bootloaders run at startup.
Some of the older Secure Boot certificates—dating back to 2011—start expiring in June 2026, and organizations need to have the newer 2023 certificate authorities installed before that happens.
Key points:
-
Many PCs manufactured since 2024 already ship with the 2023 certificates.
-
For older devices, Microsoft is delivering updated Secure Boot certificates through Windows monthly updates, while OEMs are providing firmware updates where needed.
-
If you do nothing, you risk devices eventually failing Secure Boot validation when the older certs expire.
Microsoft has published a Secure Boot playbook that outlines the rollout and offers guidance on which devices need attention and how to stage the updates safely.
New Windows and PowerShell tools to help
To make this manageable at scale, Microsoft has started shipping new admin tools:
-
The Windows Security app now surfaces clearer information about the status of Secure Boot certificate updates on supported devices, rolling out automatically starting in April 2026.
-
The Get‑SecureBootUEFI PowerShell cmdlet now has a
-Decodedflag so you can view Secure Boot certificates in a readable format instead of raw data blobs. -
A new Get‑SecureBootSVN cmdlet lets you check the Secure Boot Security Version Number (SVN) for the device’s UEFI firmware and bootloader, so you can verify that the latest Secure Boot policy is applied.
These tools are designed to help you inventory which machines are compliant, which ones still rely on older certs, and where firmware updates might be required.
What IT admins should do next
Here’s a practical, phased approach you can turn into a quick internal plan:
-
Inventory your fleet
-
Use your device management platform (Intune, ConfigMgr, etc.) plus the new PowerShell cmdlets to identify devices that:
-
Have Secure Boot enabled.
-
Are still using older Secure Boot certificate authorities.
-
-
-
Verify certificate status and SVN
-
Run
Get-SecureBootUEFI -Decodedto inspect the installed certificates. -
Use
Get-SecureBootSVNto confirm that devices reflect the latest Secure Boot policy level.
-
-
Stage OS and firmware updates
-
Make sure devices are receiving the latest monthly Windows updates, which include the new Secure Boot certificates.
-
Coordinate with OEM vendors to apply any required UEFI/firmware updates, especially for systems manufactured before 2024.
-
-
Watch for new warnings in Windows Security
-
Educate your helpdesk and endpoint teams to look for new Secure Boot warnings in the Windows Security app as these experience updates roll out from April 2026 onward.
-
-
Plan for June 2026 and beyond
-
Treat June 2026 as a hard milestone for having all critical systems updated—servers, domain controllers, and high‑sensitivity endpoints should be first in line.
-
The bottom line: this isn’t a flashy feature, but letting Secure Boot certificates lapse could leave devices exposed at the earliest stage of boot, where traditional antivirus can’t help.
Recent Posts You Might Like
- Microsoft Slashes Windows 365 Business Prices by 20%: What It Means for Cloud PCs in 2026
- Microsoft Launches ‘Secure AI Productivity’ Specialization for Partners: A New Path to Copilot‑Ready Microsoft 365
- Top 5 Must-Play Xbox Games Next Week (April 13–17): Hades II, PRAGMATA, and More Surprising Picks
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
