Windows Server
Secure Boot playbook for certificates expiring in 2026
Learn
about tools and options available to organizations to update
Secure Boot certificates on Windows Server. Certificates begin expiring
in June 2026. You must update them before that date to help
keep your security posture. Many recent platforms already include the
supported 2023 certificates in firmware. However, for the ones that
need to be updated, you need to manage this process manually.
When
will this happen:
·
The tools are already available to help you to
proactively inventory, monitor, and apply updated certificates to your
Windows Server devices.
·
June 2026: The 2011 Secure Boot certificate authorities
(CAs) begin expiring.
How
this will affect your organization:
Systems on the
2011 CAs after June 2026 are at risk of running on degraded
security posture. To update these systems, please be
proactive and follow our recommended approach.
What
you need to do to prepare:
Read complete
guidance in Additional information for details on
how to:
1.
Inventory and prepare your environment.
2.
Monitor and check your devices for Secure Boot
status.
3.
Apply any needed OEM firmware
updates before updating certificates.
4.
Plan and pilot Secure Boot certificate
deployments.
5.
Troubleshoot issues.
here it is an interesting article with very detailed information https://4sysops.com/archives/update-expiring-windows-secure-boot-certificates-now/
Windows Server Secure Boot playbook for certificates expiring in 2026
|
