Secure Boot certificate rollout

Microsoft’s current Secure Boot certificates—first issued in 2011—are scheduled to begin expiring in June 2026, creating a hard deadline for certificate renewal across affected Windows fleets. (techcommunity.microsoft.com) Microsoft began distributing updated Secure Boot certificates via monthly Windows updates earlier in 2026 to seed devices ahead of the June expiration window. (bleepingcomputer.com) Intune exposes an “Enable Secure Boot Certificate Updates” setting in the Windows 10 and later Settings catalog and a separate “Configure Microsoft Update Managed Opt In” policy that enrolls devices in Microsoft’s managed rollout. (support.microsoft.com) Administrators are advised to use model-based assignment filters in Intune to target only validated SKUs during phased deployment, a pattern Microsoft documents as part of its recommended rollout mechanics. (windowsforum.com) Monitoring options include Intune Proactive Remediations with PowerShell detection and remediation scripts and a non-remediation monitoring-only detection that reports Secure Boot and certificate installation status back to the Intune admin center. (endpointninja.com) Firmware and OEM BIOS updates remain a separate dependency—many devices will still require vendor firmware patches to complete the trust-path refresh, and Windows 10 devices under ESU are highlighted as higher-risk if OEM updates are unavailable. (systemcenterdudes.com) Field reports note some hardware requires multiple reboots and that the rollout mechanism relies on a registry-triggered scheduled task on endpoints, so staged validation and timed maintenance windows are being recommended in guidance from Microsoft and community experts. (systemcenterdudes.com)