Event details
Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
Hasan_TG
May 18, 2026Copper Contributor
For environments where Secure Boot is currently disabled (Azure VMs, VMware, Nutanix, etc.), is the following approach considered valid and supported by Microsoft?
- Keep Secure Boot disabled today
- Install all required 2023 Secure Boot certificate and bootloader updates through normal OS patching before June 2026
- After June 2026, enable Secure Boot during a controlled maintenance window
- Reboot the VM so it boots using the updated 2023 certificate chain
In other words:
- Can organizations safely prepare the new Secure Boot trust chain in advance without enabling Secure Boot immediately?
- Is there any risk that systems with Secure Boot disabled today would fail to boot after June 2026 if the new certificates are already installed?
- Does Microsoft recommend this phased approach for enterprise server workloads where enabling Secure Boot immediately may introduce operational risk?
We would appreciate guidance specifically for Azure IaaS server workloads and enterprise Linux/Windows Server environments.