Overview
On June 24, 2026, the Secure Boot Certificates will be expiring, and action might be needed to make sure that your devices are properly patched at the firmware level. In this article, we will cover:
- What is Secure Boot?
- What Happens if the Secure Boot Certificate Expires?
- How to Update the Certificates
- Reporting in Intune for Secure Boot
What is Secure Boot?
Many people are talking about “Secure Boot” right now. So, what exactly is it?
Secure Boot is a security capability inside of UEFI (Unified Extensive Firmware Interface)-based firmware that helps restrict the software running during your laptop’s boot sequence. It ensures only trusted software can run.
Secure Boot verifies the digital signature (think of this as a way of signing software to validate its identity) pre-boot software against the CA certificates in the device’s firmware. Secure Boot defines how platform firmware will manage certs, authenticate that firmware, and how Windows interfaces with this.
It was originally invented in Windows 8 to help defend against pre-boot malware aka “bootkits”. When the OS initializes, Secure Boot will authenticate the various firmware modules before they execute. Some examples are:
- Apps
- Firmware Drivers
- Boot Loaders
The final thing that will happen is Secure Boot verifies if it trusts the boot leader itself before passing control to the boot loader for verification, loading into memory, and starting Windows.
During the manufacturing process, a firmware policy is set to help Secure Boot know what code should be trusted. This policy might be changed over time like adding or revoking certificates, which is governed by a hierarchy of keys like many PKI models in use today. We have:
- Platform Key (PK): owned by the hardware manufacturer
- Key Enrollment Key (KEK): allows entities to update the DB and DBX
- Allowed Signature Database (DB): includes certs managed by Microsoft and the OEM.
- Disallowed Signature Database (DBX): updated by Microsoft with revocation lists to ensure bad actors cannot run software.
What Happens if the Secure Boot Certificate Expires?
So, we’ve already heard the certificates are expiring. It’s honestly about time since they were issued 15 years ago.
When that certificate expires (they were actually renewed in 2023), devices will still be able to start and operate as expected along with Windows Updates still occurring.
Once that cert expires, new security protections for that pre-boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations will no longer be available.
This will limit the device’s protection against emerging threats and can potentially impact BitLocker security or 3rd party bootloaders. It’s increasingly important to keep devices up to date with latest firmware and security patches to get ahead of these issues.
The table below gives you some insight into the certificates being used by Secure Boot today:
| Expiring Certificate | Expiration date | New Certificate | Storing location | Purpose |
| Microsoft Corporation KEK CA 2011 | June 24, 2026 | Microsoft Corporation KEK 2K CA 2023 | Stored in KEK | Signs updates to DB and DBX. |
| Microsoft Windows Production PCA 2011 | October 19, 2026 | Windows UEFI CA 2023 | Stored in DB | Used for signing the Windows boot loader. |
| Microsoft UEFI CA 2011* | June 27, 2026 | Microsoft UEFI CA 2023 | Stored in DB | Signs third-party boot loaders and EFI applications. |
| Microsoft UEFI CA 2011* | June 27, 2026 | Microsoft Option ROM UEFI CA 2023 | Stored in DB | Signs third-party option ROMs |
One neat thing you will see after the updates, they have separated the certificate used to sign boot loaders and option ROMs. This elevates the system trust overall.
How to Update the Secure Boot Certificates
There’s a ton of information right now around updates for Secure Boot, including this amazing article by my friend Rudy here.
Simply, the easiest thing you can do today is deploy this Settings Catalog policy below in Intune:
Once these policies take effect, the devices WILL need a reboot to complete the update and become compliant.
This should cover the majority of your devices. You might run into some of these where some of the devices throw an error like this below (75 error devices OH NO!!):
Then we end up seeing our FAVORITE Error 65000:
Other ways you can fix this, which I won’t belabor, is an amazing script by my friend Mr. T-Bone here.
In my experience, the settings catalog policy will get you most of the way there.
Next, we will cover how reporting in Intune will help you validate some of these errors instead of firefighting the evil 65000 errors.
Reporting in Intune for Secure Boot
The easiest way to get to this report is just follow my link here.
Otherwise, you can go to Reports > Windows Quality Updates > Reports > Secure Boot Status if you enjoy punishing yourself.
This report is great because it shows you devices that are:
- Up to date
- Not up to date
- Not applicable
- “Unknown”
You can drill into “Not up to date” and see why a device might not be up to date.
It shows you the certs aren’t up-to date:
You can also drill into confidence level, which gives you some additional information. When you see this issue, it typically means you “might” have an issue if the certificate is updated. We usually recommend these devices have their firmware is up-to-date, and all Windows patches have been applied.
The “Unknown” section are devices typically that haven’t checked in for a long time or just haven’t reported status back to Intune. Those are ones we want to keep an eye on but usually aren’t as big of a concern.
Overall, anything showing Not applicable, Unknown, or Not up to date just indicates that they need some time to sort themselves out.
