Secure Boot Certificates Expire in June 2026: What Boston Businesses Need to Do Now

What is happening with Secure Boot in June 2026?

The Microsoft certificates that Windows uses to verify trusted boot code, originally issued in 2011, begin expiring in June 2026. Without action, affected Windows 10, Windows 11, and Windows Server devices will stop receiving Secure Boot updates from Microsoft and will eventually lose the ability to validate new bootloaders, firmware components, and bootable media against current Microsoft trust roots. For Boston-area businesses, this is not a future-year problem — the remediation has to start now, while devices are still healthy.

Two of the three impacted certificates — the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011 — expire in June 2026. The Microsoft Windows Production PCA 2011, which signs the Windows boot manager itself, expires in October 2026. Microsoft is replacing all three with new 2023 certificates that must be installed into each device’s UEFI firmware (the KEK and DB stores) before the old certificates run out.

Why does this matter for SMBs and regulated industries?

Secure Boot is the foundation of every modern Windows security guarantee. It is what prevents bootkits and pre-OS malware from silently loading before Windows or your endpoint security agent gets a chance to run. When the underlying certificate chain expires:

• New Microsoft-issued boot components signed by the 2023 certificates will not be trusted by devices still anchored to 2011 roots.
• Future Windows security updates that depend on the new trust chain cannot fully apply.
• Boot from Microsoft-signed recovery media, Windows installation media, and certain BitLocker recovery scenarios may fail.
• Cyber-insurance carriers and frameworks (CIS, NIST 800-171, CMMC, HIPAA) that require “boot integrity” or “firmware-level protection” controls may flag devices that did not receive the rollover.

For Massachusetts companies bound by 201 CMR 17.00, leaving production endpoints in a stale Secure Boot state is exactly the kind of avoidable, documented control gap that auditors and breach investigators look for after an incident.

Which devices are affected?

The certificate expiration affects essentially every x64 Windows device manufactured between roughly 2012 and today that ships with UEFI Secure Boot, including:

• Windows 11 desktops, laptops, and tablets.
• Windows 10 devices (including those on Extended Security Updates).
• Windows Server 2012, 2016, 2019, 2022, and 2025 systems.
• Surface, Dell, HP, Lenovo, ASUS, and Acer business hardware.
• Hyper-V Generation 2 virtual machines that use UEFI firmware.

Devices that are offline, dormant, in a closet, or sitting on a shelf will not receive the rollover and are most at risk of being stranded after June 2026. Older hardware that no longer receives OEM firmware updates is also in danger of never getting the corresponding firmware prerequisites Microsoft expects to land first.

What does Microsoft want you to do?

Microsoft published KB5025885 in 2023 as the master guidance for rolling Windows devices to the 2023 Secure Boot certificates. The high-level flow is:

1. Apply current OEM firmware updates first. Many vendors ship firmware that prepares the UEFI DBX, DB, and KEK stores to accept the new Microsoft 2023 certificates. Without the firmware update, Windows cannot safely write the new entries.
2. Stay current on Windows cumulative updates. Microsoft is rolling the new certificate enrollment out gradually through Windows Update, so devices that fall behind on patching will not pick up the change.
3. Enroll the new 2023 certificates into KEK and DB. This is what actually moves the device from the expiring 2011 chain to the new chain. Microsoft has guarded this step behind a registry-driven, opt-in deployment until 2026 to avoid mass boot incidents.
4. Validate after each step. Use the Windows Security app or PowerShell (Get-SecureBootUEFI) to confirm both the old and new certificates are present and that the device is reporting the rollover as healthy.

What is Boston Managed IT doing for clients?

Inside Boston Managed IT’s managed services stack, we are treating the Secure Boot rollover as a multi-month, fleet-wide project, not a single patch. For every managed client we are:

• Inventorying the fleet. Using RMM and Microsoft Intune data to identify every Windows device, its model, firmware version, and current Secure Boot certificate state.
• Standardizing OEM firmware updates. Pushing Dell Command Update, HP Image Assistant, Lenovo Vantage, and Surface UEFI updates so the underlying firmware is ready before we enroll the new Microsoft certificates.
• Staged enrollment. Rolling the registry opt-in for the 2023 certificate updates to a pilot ring first, then production rings, so any firmware-specific issues surface on test devices rather than executive laptops.
• Reporting. Producing per-client status reports that show how many devices are rolled, how many are pending, and which units need hardware refresh because the OEM no longer ships compatible firmware.
• Coordinating Windows 10 sunset planning. Devices stuck on Windows 10 and unable to take the rollover are strong candidates for the Windows 11 refresh or hardware replacement work many clients are already scoping for 2026.

What should an internal IT team do this week?

If you run IT in-house, three concrete steps are worth doing in the next seven days:

1. Pull an inventory of every Windows endpoint and server, including offline and rarely-used devices. Anything that has not checked in for 30+ days is your biggest risk pool.
2. Confirm your patch management is current. Both Windows cumulative updates and OEM firmware/BIOS updates need to land before the certificate enrollment will succeed.
3. Pilot the Secure Boot certificate rollover on 5–10 representative devices (one per hardware model). Validate boot, BitLocker, and recovery scenarios before scaling to the rest of the fleet.

FAQ: Common questions Boston businesses are asking

Will my Windows devices stop working in June 2026?
No, not immediately. Existing installed Windows will continue to boot using already-trusted bootloaders. The risk is loss of trust for new Microsoft-signed boot components, future security updates, and recovery scenarios — which is exactly the kind of failure you don’t want during an incident.

Does this affect Macs, iPhones, or Android?
No. This is a Windows / UEFI Secure Boot issue. Apple and Android devices use separate trust chains.

What about old PCs that no longer get firmware updates?
Those devices are very likely to be stranded on the 2011 certificates. They become hardware-refresh candidates. This is one more reason the Windows 10 end-of-support date and the Secure Boot expiration are colliding in 2026.

Can I just turn off Secure Boot?
Technically yes, practically no. Disabling Secure Boot weakens boot integrity, breaks Windows 11 supportability, can void cyber-insurance policy language, and is incompatible with many compliance frameworks. It is not a real remediation.

How will I know my devices are rolled successfully?
Windows 11 surfaces Secure Boot certificate update status inside the Windows Security app. For fleet visibility, RMM platforms and Intune can be configured to report the rollover state per device.

How to get help

Boston Managed IT manages this rollover end-to-end for clients across Massachusetts and New England. If you would like us to inventory your fleet, validate firmware readiness, and stage the Secure Boot 2023 certificate enrollment before the June 2026 deadline, please reach out to our team. The earlier we start, the smaller the population of devices left in the high-risk window.

References: Microsoft Windows IT Pro Blog – Act Now: Secure Boot Certificates Expire in June 2026, Microsoft Secure Boot Playbook, Microsoft KB5025885.