The Secure Boot certificate update arriving in 2026 isn’t just another Windows update. For Windows 11 environments, especially those standardized on 23H2 and newer, this is an opportunity to strengthen the integrity of your fleet before the industry’s attention turns to the expiration of the original 2011 Microsoft UEFI certificates.
This Change Matters – A LOT
Secure Boot is one of those technologies that you rarely ever hear about because there aren’t really any configurations, and it just works. It ensures that the earliest stages of the boot process, before Windows loads, are protected from tampering. It’s the first line of defense against bootkits and pre-boot malware, and it’s foundation is a chain of trust built from certificates stored in the device’s firmware.
Those original certificates, issued in 2011, are approaching their expiration, which occurs in June 2026. Microsoft has already released updated 2023 certificates, but the responsibility for ensuring they’re actually deployed across your fleet falls to you.
If the updated certificates aren’t installed, devices will not suddenly stop working. They won’t fail to boot, but they will enter a degraded security posture as they lose the ability to fully validate early‑boot components. They may fail future Secure Boot revocation updates, and they may fall out of alignment with compliance expectations in regulated industries.
The device will still run, but the trust you place in the device just becomes less certain. This will be a silent issue and one you may not even realize you have, so you need to take proactive steps now to make sure your devices remain protected.
Real‑World Impact for Enterprise Environments
The expiration of the 2011 certificates will not create a single failure point. Instead, it starts a slow drift away from a fully trusted boot chain. Over time, that drift will appear in several ways:
- Reduced protection against early‑boot threats: attackers who target the boot process typically rely on gaps in the trust chain. Outdated certificates allow attackers to exploit those gaps.
- Incompatibilities with future Secure Boot updates: Microsoft revokes compromised bootloaders. Devices without the updated certificates may not apply those revocations.
- Compliance and audit challenges: many frameworks, especially in regulated industries like government, healthcare, and finance, require that Secure Boot is fully functional.
- Operational inconsistency: a mixed fleet of “fully trusted” and “partially trusted” devices can complicate support, incident response, and compliance/risk assessments.
None of these issues will appear overnight, but they will accumulate over time if this certificate issue is not addressed.
Intune to the Rescue
The Secure Boot certificate update is being delivered via Windows Update, which is the supported path, and the one Microsoft expects organizations to use. But as every endpoint admin knows, your device can only update with the Windows Update ecosystem is healthy.
In the real world, many environments have unintentional silent blockers that can prevent devices from receiving updates, even when everything looks right from the console. Some of the most common issues include:
- Devices never receive a Windows Update for Business (WUfB) policy
- Update deferrals are set too high
- Updates paused are indefinitely
- Devices stuck in a failed Windows Update scan state
- Out-of-date firmware that is incapable of running the new certificates
These issues don’t just block the Secure Boot certificate update, they also prevent your devices from updating at all. The certificate transition simply adds to the pile of vulnerable things about a device. This is where Intune becomes more than a management tool and takes on the role of helping you diagnose potential issues.
Intune‑Only Approach to Readiness
If you’re using Intune today, you don’t need to do anything major to your environment to prepare for the new certificate. It’s really about having visibility, consistency, and a plan for exceptions. Here’s a practical approach that only leverages Intune.
1. Detection = Visibility
A good starting place is deploying a proactive remediation that identifies if:
- Secure Boot is enabled
- The 2023 certificates are present
- The device needs OEM firmware updates
- Windows Update is blocked or misconfigured
This will give you visibility into your devices’ readiness. It can also help you identify patterns with issues, such as specific models, update rings, or user groups that may need special attention. The goal with visibility is to understand where your environment stands, and once you know that you can proceed to remediation.
2. Remediate Automatically
Once you’ve identified which devices are out of compliance, you can use Intune to remediate them automatically. To start, this remediation doesn’t need to be complex. It can just be focused on the basics, like:
- Triggering a Windows Update scan
- Clearing any paused or deferred update states
- Ensuring the device can receive the certificate update
This gives you a scalable way to bring devices back into compliance and allows you to focus on the hopefully small number of devices that can’t be remediated automatically.
3. Identify Devices That Need a Firmware Update
Some devices will require a firmware update to fully support the new certificates. In some cases, Intune can’t apply those updates directly, but it can tell you which devices need them. Those devices become your targeted follow‑up list. You can work with your internal support teams to find the right path forward for these devices.
4. Future Enforcement Through Custom Compliance
Once your environment is stable, you can begin thinking about long‑term governance. You can use Intune’s custom compliance engine to define a compliance configuration that checks for the updated certificate and marks a device noncompliant if the updated certificate is not found. This compliance state can be used by Conditional Access to protect sensitive resources if the device is not compliant.
You wouldn’t necessarily need to enforce this today, but having the rule ready allows you to use it when you’re ready.
Final Thoughts
The 2026 Secure Boot certificate shift marks a significant moment for organizations. While this is a routine technical update delivered by normal processes, it has implications for security, compliance, and operational integrity.
Proactive preparation is not just advisable; it is essential to ensure continued trust in your devices. By leveraging the detection, remediation, and compliance capabilities within Intune, admins can stay ahead of potential issues and maintain their organizations existing security posture. Early action will help mitigate silent vulnerabilities and prevent compliance issues in the future.
