Microsoft Secure Boot Certificates

Windows Secure Boot Certificates

Secure Boot is a security feature in the UEFI-based firmware (Unified Extensible Firmware Interface) that ensures that only trusted software is executed during a device's boot sequence. Since Windows introduced support for Secure Boot, all Windows-based devices have the same set of Microsoft certificates in the CEC and database. These original certificates are approaching their expiry date of June 2026, so in order to continue running Windows and receive regular updates to your Secure Boot configuration, you will need to update these certificates.

Next Steps:

Inventory & identification of the affected systems.

Checking UEFI/BIOS/firmware compatibility or availability of required OEM updates.

Piloting / validation on representative systems.

Patching / certificate update incl. required reboot.

Success control (check whether the 2023 certificates are available in KEK/DB).

we transform for the better

Inventory

Physical and virtual machines (VMs) with supported versions of:

Windows 10
Windows 11
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025

This affects all systems released since 2012, including Long-Term Servicing Channel (LTSC).

⚠️ Note: Windows 8 is also affected, but is no longer supported.

Note:
Affected third-party operating systems also include macOS. However, these are outside the scope of Microsoft support.
For Linux systems dual-booting with Windows, Windows updates the certificates that Linux relies on.

Source: https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

we transform for the better

Patching

Updating the secure boot certificates depends on the support provided by the UEFI/BIOS/firmware of the respective manufacturer. In certain cases, a Windows update alone is not sufficient. In addition, a current OEM firmware/BIOS update may be required so that the new 2023 secure boot certificates (especially KEK and DB) can be successfully installed:

Microsoft OEM Manufacturer: Original Equipment Manufacturer (OEM) pages for Secure Boot - Microsoft Support
Microsoft Azure Local: Security updates for Azure Local - Azure Local | Microsoft Learn
Microsoft Playbook Windows Server: Windows Server Secure Boot playbook for certificates expiring in 2026 | Microsoft Community Hub
Microsoft Playbook Windows Client: Secure Boot playbook for certificates expiring in 2026
Broadcom: Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines
Broadcom: Manual Update of the Secure Boot Platform Key in Virtual Machines
RedHat: Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments - Red Hat Customer Portal
HP Client: https://support.hp.com/us-en/document/ish_13070353-13070429-16
Lenovo: https://support.lenovo.com/de/en/solutions/ht518129-2011-microsoft-secure-boot-certificate-expiration-lenovo-commercial-pcs
Dell Client: https://www.dell.com/support/kbdoc/en-us/000390990/secure-boot-transition-faq?msockid=224440b9ea8f60452cc65600eb706198