Enterprise organizations are approaching a critical security milestone: Windows Secure Boot 2011 certificates, currently deployed across millions of devices, are scheduled to expire in June 2026. These certificates need to be replaced by the newer 2023 certificates. To help organizations prepare, Microsoft Defender is introducing a new tool that provides centralized visibility into Secure Boot 2023 certificate readiness across your device fleet.
Understanding the Secure Boot certificate challenge
Secure Boot is a foundational security feature that validates the integrity of your device's boot process, ensuring only trusted software can run during system startup. This protection has been quietly defending enterprise devices since 2012, but the original 2011 certificates that enable this trust are approaching their expiration date.
When certificates expire in June 2026, devices that haven't transitioned to the new Windows UEFI CA 2023 certificates will no longer be able to receive new security protections for the early boot process. While these devices will continue to boot, they may no longer be able to receive or enforce new protections at the earliest stages of system startup. Over time, this can weaken the device’s root of trust and expose it to classes of attacks that operate before the operating system and security controls are fully loaded:
- Malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates
- Devices may be unable to adopt future Secure Boot policy updates designed to mitigate newly discovered boot-level threats
- Attackers may attempt to leverage boot-level persistence techniques that operate below the visibility of traditional security controls
As new vulnerabilities and protections are introduced, devices that are not updated will gradually fall behind in their ability to enforce trust at boot, but the challenge isn’t just knowing that this transition needs to happen, it’s understanding which devices in your fleet have successfully completed the update and which still require attention.
Introducing Secure Boot 2023 certificate assessment
A new recommendation in Defender allows you to ensure that devices are updated to Secure Boot 2023 certificates and boot manager, providing a centralized, at-scale view of Secure Boot certificate readiness across your environment.
This assessment automatically categorizes your devices into:
- Exposed devices: Still trusting older Secure Boot certificates without trust for newer Secure Boot certificates
- Compliant devices: Successfully relying on the 2023 certificates and signed boot manager
- Not applicable devices: Systems where Secure Boot is disabled or not supported
From the recommendation view, you can:
- Drill down into exposed devices and identify exactly which systems require attention
- Filter by OS platform and device context to prioritize remediation efforts
- Export device data to share with infrastructure and platform teams
- Track rollout progress across your organization
- Integrate findings into existing security posture workflows
Take action on your Secure Boot readiness
To access this tool in the Defender portal, navigate to Exposure Management → Recommendations → Devices → Misconfigurations. Once Defender identifies exposed devices, it provides remediation guidance.
For detailed deployment guidance, including enterprise rollout strategies and validation practices, see: https://aka.ms/GetSecureBoot
Your action plan
- Assess your exposure
Navigate to the tool to understand how many devices in your environment require updates. - Engage the right teams
Secure Boot certificate deployment is typically owned by infrastructure and platform teams, so coordinate across your organization. - Prioritize high-value assets
Focus remediation efforts on critical devices and sensitive environments first. - Track progress over time
Monitor rollout progress and ensure coverage improves ahead of the June 2026 deadline.
Learn more
- Visit the comprehensive Secure Boot guidance at https://aka.ms/GetSecureBoot
- Learn more about Microsoft Secure Score for Devices in Microsoft Defender for Endpoint
- To learn more about endpoint protection with Microsoft Defender, check out our website.
- To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Microsoft