Translate

Thursday, October 30, 2025

Secure Boot Certificate Upate

[Updated 2026-03-13)

Currently there is a real important topic ongoing with the same reach like the good old Y2K bug. We will finally see if it had serious impact or not. But nevertheless we cant ignore it and need to check the real impact. 

What is it about? 

The Microsoft Secure Boot Certificates will expire in June 2026. 

First rule of thumb:

Update your device BIOS. This is crucial. Especially when your device is still under OEM hardware vendor support! The machines out of support are in general in danger in the near future!

Major hardware vendors they provide official support:
Original Equipment Manufacturer (OEM) pages for Secure Boot - Microsoft Support


Second rule of thumb:

Use the MS process to get the rest done. Microsoft released a good playbook on this.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235

After lots of scripting, logging and monitoring I came to the conclusion the best and easiest way to handle this at scale is to make use for Microsofts Approach with Intune (MDM Policies and Reporting).

Intune report is now (again) found in the Intune console at:

REPORTS --> Windows feature updates --> Reports (tab) --> Secure Boot status

Details about the report found here:
Secure Boot status report in Windows Autopatch | Microsoft Learn


The latest Microsoft published news about Secure Boot expiring certificates can be found on:

https://aka.ms/getsecureboot

Good news at the end. If you miss this then its very likely that your machines still boot even after the certificate expires. Booloaders are only blocked when their certificates are moved / stored in DBX (prevented boot loaders).

But for special machines like some NVIDIA graphic cards having UEFI drivers this might be a different story! So testing is essential.

I put date on different machines in Bios from 2026 into year 2036 and after this they were still booting and I was able to logon. But as of now I had no chance to play around with Intunes "compliant" state as this is hard to test as I can not put Intune as well into year 2036 on my own. So there is still some uncertainty what will happen.

Stay tuned!

Created from um
Subscribe to: Comments (Atom)