Microsoft warns certificate expirations

Microsoft is asking Windows administrators and users to prepare for a June 2026 security deadline that does not stop PCs from booting, but can leave them unable to take future boot-level protections. The company said certificates used by Secure Boot since 2011 begin expiring in June and must be replaced with newer 2023 certificates on affected devices. In the same May patch cycle, Microsoft published a critical Dynamics 365 on-premises vulnerability, CVE-2026-42898, and separately said Teams will retire Together mode on June 30. The overlap leaves enterprise administrators handling firmware checks, patch deployment and product-change notices at the same time. ### Which Windows devices are affected by the certificate deadline? Microsoft said in a support article published February 10 that “most devices” will receive updated Secure Boot certificates automatically, but some systems will need additional firmware updates from hardware makers. The certificates originally issued in 2011 begin expiring in June 2026, according to Microsoft’s support and troubleshooting guidance. Secure Boot is the UEFI-based process that verifies trusted firmware modules and boot software before Windows starts. Microsoft said devices that do not receive the newer 2023 certificates will still start and continue getting standard Windows updates, but they will no longer be able to receive new protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases and revocation lists. (support.microsoft.com) ### If machines still boot, why is Microsoft telling people to act now? Microsoft said the loss is in future protection, not day-one operability. Its support documents say an unremediated device can become “progressively less protected” as new boot-chain threats emerge because future fixes for early-boot vulnerabilities may no longer apply. (support.microsoft.com) Microsoft’s troubleshooting guidance also lists concrete signs that a device has not been updated. Administrators may see Event ID 1801 or 1795 in system logs, or find that the registry value `UEFICA2023Status` is not set to “Updated,” according to Microsoft Learn. The company said higher-risk environments may also see Secure Boot validation errors, BitLocker recovery prompts, startup hangs or failed boots if outdated firmware interferes with the certificate rollout. (support.microsoft.com) ### What is Microsoft telling administrators to do on Secure Boot? Microsoft said organizations should inventory devices, validate certificate status, update firmware first where needed, and test the rollout on pilot groups before broad deployment. The company lists Intune, registry keys, Windows Configuration Service Provider and Group Policy among supported deployment methods. (learn.microsoft.com) Microsoft also said Secure Boot should not be disabled as a workaround. Its support article says turning the feature off removes safeguards against boot-level malware and creates new security and compliance risks. ### How serious is the Dynamics 365 flaw released in May? Microsoft’s Security Update Guide lists CVE-2026-42898 as a Microsoft Dynamics 365 on-premises remote code execution vulnerability. (learn.microsoft.com) NIST’s National Vulnerability Database describes it as improper control of code generation in Dynamics 365 on-premises that allows an authorized attacker to execute code over a network, and third-party CVE mirrors reflecting Microsoft’s advisory show a CVSS 3.1 score of 9.9. (support.microsoft.com) The vulnerability affects on-premises deployments rather than Microsoft’s cloud service, based on the product naming in Microsoft’s advisory and NVD’s entry. Because the flaw requires an authorized attacker, the issue is narrower than an unauthenticated internet-wide bug, but Microsoft still classified it as critical in the May 12 security release. ### Why is Teams part of the same workload for IT departments? (nvd.nist.gov) Microsoft said on May 14 that Together mode in Teams will no longer be available beginning June 30. Katarina Tranker, a product manager on the Teams team, said the change will remove the Together mode toggle from the meeting View menu and retire scenes and custom scenes, including seat assignments. (nvd.nist.gov) Microsoft said organizations that used scenes for branding can switch to organization-provided branded backgrounds, while the company consolidates meeting layouts around Gallery view. The Microsoft 365 admin documentation says administrators should use Message center to track upcoming changes and required actions across Microsoft 365 services. (techcommunity.microsoft.com) June 30 is the next fixed date in the sequence. By then, Together mode is scheduled to disappear from Teams, while Windows administrators still need affected devices updated with 2023 Secure Boot certificates before the June 2026 expirations begin. (techcommunity.microsoft.com)