Microsoft is retiring older Secure Boot certificates in June 2026. This guide walks IT teams through the audit, patch, and enforcement steps needed to keep Windows endpoints compliant before the cutover.
Microsoft is retiring older Secure Boot certificates as part of its ongoing platform security hardening initiative. Starting June 2026, Windows devices that rely on outdated Secure Boot certificates may experience:
This is not a minor patch cycle update. It affects the firmware-level trust chain on every managed Windows device in your environment. If you are already tracking the June 2026 Patch Tuesday updates, this deadline should be on your radar as a parallel action item.
For a broader understanding of how Microsoft structures its security certificate lifecycle, refer to the Microsoft Security Response Center (MSRC) advisory portal where certificate deprecation notices are published.
This transition impacts IT teams managing:
If your organisation manages more than a handful of endpoints, a proactive audit is essential before the June deadline. Teams using a unified endpoint management platform with real-time device visibility will have a significant advantage during this transition.
Before making any changes, build a clear picture of where your estate stands today.
A hardware inventory tool that provides real-time device attribute visibility is essential at this stage. Manual spreadsheets will not give you the speed or accuracy needed before a hard deadline.
You can cross-reference certificate status against your software inventory to understand which devices are running firmware versions that support the updated Secure Boot chain.
Use your compliance and reporting dashboard to generate a baseline report now, before the transition window opens. This gives you a benchmark to measure against post-update.
Deployment images built before 2024 are at risk of containing outdated certificate references.
If your images fail validation:
If your team uses software deployment automation, rebuild image distribution can be handled at scale once the updated base image is validated.
The June 2026 Patch Tuesday release is expected to include the required certificate updates. Your patch process needs to be ready to handle this without delays.
Microsoft publishes detailed breakdowns of each Patch Tuesday release. You can follow the Zecurit Patch Tuesday coverage for a summarised view of each monthly release and its security implications.
Patch management platforms that provide real-time patch status per device will significantly reduce the manual effort required to track compliance across a large fleet. For devices that are offline or sleeping during the deployment window, Wake-on-LAN can be used to bring them online before the patch cycle runs.
Once devices are updated, Secure Boot policy enforcement should be validated across your environment.
Environments that rely on endpoint monitoring and alerts will be able to detect policy drift immediately if a device reverts to a non-compliant state after the update.
After June updates are deployed, run a full compliance report to confirm:
For distributed or remote endpoints that require hands-on remediation, unattended remote access allows your team to connect and resolve issues without requiring physical access or end-user involvement.
| Risk | Mitigation |
|---|---|
| Older devices cannot update firmware | Identify and flag these devices early; plan for replacement or isolation |
| Deployment images fail post-June | Rebuild and test images in a staging environment before June |
| Remote or unmanaged endpoints missed | Ensure full device inventory before the transition window using asset discovery |
| Patch deployment delayed past the deadline | Define a hard deployment SLA for June Patch Tuesday in your change management process |
| Compliance reports show false positives | Validate your reporting tool reflects real‑time certificate status, not cached data |
| Devices offline during patch window | Use Wake‑on‑LAN to bring sleeping endpoints online before deployment runs |
| Date | Action |
|---|---|
| Now | Complete device inventory and certificate audit |
| May 2026 | Validate deployment images and recovery media |
| June 2026 Patch Tuesday | Deploy certificate updates across managed endpoints |
| Within 2 weeks post‑Patch Tuesday | Run full compliance report and remediate failures |
As you work through this checklist, it is worth validating whether your current platform can support each step:
If any of these are gaps in your current setup, it is worth reviewing your endpoint management and IT asset management capabilities before the June window arrives.
For additional reading on endpoint security best practices, the Center for Internet Security (CIS) publishes Windows benchmark guides that cover Secure Boot configuration alongside other hardening controls.
Zecurit Endpoint Manager helps IT teams audit device compliance, deploy the required patches, and enforce Secure Boot policies across every managed Windows endpoint, before the deadline hits.