Frequently asked questions about the Secure Boot update process

It’s best to update Secure Boot certificates well before the June 2026 expiration date. 

If your device is managed by Microsoft, and sharing diagnostic data with Microsoft, then Microsoft will attempt to update the Secure Boot certificates automatically in most cases. While Microsoft will do their best to update Secure Boot, there will be some situations where the update is not guaranteed to apply and will need Customer action. The customer is ultimately responsible for updating the Secure Boot Certificates. 

Some example situations where Microsoft Managed devices with diagnostic data shared do not get updated are as follows: 

• Microsoft Secure Boot updates work on only some in-support versions of Windows.

• The diagnostic data enabled on your device could be blocked by a firewall in your organization and not reaching Microsoft.

• There might be something wrong with the Firmware on the device.

Note What does it mean to be “Managed by Microsoft”? The system shares diagnostic data and is managed by Microsoft Cloud or Intune. 

If your device is not sharing diagnostic data with Microsoft and is managed by your organization’s IT department or by the customer, then the IT department can update the systems following Microsoft’s guidance in Windows Secure Boot certificate expiration and CA updates.

If the computer is managed by Microsoft, Secure Boot certificates are updated through Windows Update.  

If the computer is managed by your organization or business IT administrator, then the IT department has methods to update the system using guidance in Windows Secure Boot certificate expiration and CA updates. 

The computer will still start Windows normally, even if the Secure Boot certificates are not updated.  
The computer will eventually stop receiving certain Windows security updates from Microsoft including Boot Manager and Secure Boot component security updates. This will put the device at risk of BootKits that could take full control of the computer.

Windows 10 Support ends on October 14, 2025. For more information, see Windows 10 support ends on October 14, 2025. 

To continue to receive Security Updates after this date, customers remaining on Windows 10 can sign up for: 

• The Windows 10 Extended Security Updates (ESU) Program, see Windows 10 Extended Security Updates (ESU) Program

• Or if you have a supported LTSC version of Windows 10, it will continue to get Security Updates until the LTSC expiry date. For example, see Extended Security Updates (ESU) program for Windows 10

Note

• Windows 10 Enterprise LTSC is available for purchase either as a standalone SKU or as part of a Windows Enterprise E3 subscription.

• Windows IoT Enterprise LTSC can be purchased directly from an OEM or through a Vendor License as a standalone SKU.

There are two possible paths: 

• If the computer is managed by Microsoft with diagnostic data shared and the OS is supported, Microsoft will attempt to update.

• If the device is customer managed or managed by an IT administrator, then the IT department can apply the updates on the validated set of computers that can safely take updates per Microsoft guidance in Windows Secure Boot certificate expiration and CA updates.

These steps are expected to address most customers without needing a Firmware update from OEMs. However, there will be certain cases where the updates do not apply due to known or unknown issues in the device firmware. In such cases, follow the OEM guidance on firmware updates. 

Note The above process applies the Secure Boot Active Variables through the OS. The Secure Boot Firmware Default values are maintained in the Firmware which is released by the OEM. The guidance is to not change or update the Secure Boot configuration unless the OEM has released an update to change the Firmware defaults to the new certificates.

 If the certificates expire, Secure Boot protection is degraded. If the system meets the requirements for a newer OS such as Windows 11, it will be possible to upgrade to a newer OS version of Windows 11.  

If Secure Boot is not enabled on your Windows 10 LTSC devices, they are not included in the current rollout for the new Secure Boot certificates. When you begin the upgrade to Windows 11 LTSC, you will need to follow specific migration steps relevant at that time to ensure the new 2023 certificates are included.

Only supported Windows OS versions will get the certificates. 

After the certificates expire, the device will continue to boot without change, however the device will stop getting security updates for the boot manager and the Secure Boot components. This will put the entire device at risk of “bootkit” malware that can affect all aspects of security on the device.

For Windows running in a virtual environment, there are two methods for adding the new certificates to the Secure Boot firmware variables: 

• The creator of the virtual environment (AWS, Azure, Hyper-V, VMware, etc.) can provide an update for the environment and include the new certificates in the virtualized firmware. This would work for new virtualized devices.

• For Windows running long term in a VM, the updates can be applied through Windows like any other devices, if the virtualized firmware supports Secure Boot updates.

These Customer/IT managed environments often lack sufficient diagnostic data for Microsoft to confidently and safely roll out new features. Additionally, IT departments typically prefer to maintain full control over update timing and content to ensure compliance, stability, and compatibility with internal tools and workflows. Many enterprise devices also operate in sensitive or restricted environments where external access or management—implied by CFR—may be undesirable or prohibited.

If Windows is already using the 2023-signed boot manager but the firmware is reset to defaults that don’t include the Windows UEFI CA 2023 certificate, Secure Boot will block the boot process. 

To fix this, you need to reapply the 2023 certificate to the firmware’s DB using the recovery application. This is done by creating a recovery USB, then booting the affected device from that USB to restore the missing certificate. 

For step-by-step instructions see Microsoft’s official guidance for updating Windows install media.