Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
BrianSmith42's avatar
BrianSmith42
Copper Contributor
Mar 12, 2026

Follow up on earlier SCCM boot.wim questions:

Can we continue using the boot.wim with 2011 cert past June 2026?

Will that work successfully with devices that only have 2011 cert?

Will devices that have 2023 cert already require a boot.wim that has 2023 cert once June 2026 has passed?

(We have thousands of devices in storage, and need to know sooner, rather than later, if they need to get updated pre-June 2026)

Jason_Sandys's avatar
Jason_Sandys
Icon for Microsoft rankMicrosoft
Mar 12, 2026

Nothing changes instantly in June or when the certs expire. The boot critical components signed by these certs are still trusted and valid and devices will continue to boot fine as the certs themselves are still "trusted".

Answers

  1. Yes, the old certs are still trusted as noted.
  2. Yes, same reason.
  3. No, device will trust both old and new certs.

 

Note that a better path though is to begin your Intune and Autopilot journey.