Secure Boot certificates expire in June 2026 : Collingwood IT Support Portal

Secure Boot certificates expire in June 2026 Print

Modified on: Mon, 8 Dec, 2025 at 10:42 AM

This post will show you how to Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

Reference websites : Please read first.
HP Commercial PCs - Prepare for new Windows Secure Boot certificates
Act now: Secure Boot certificates expire in June 2026

Remediation Steps :
1. Enterprise IT-managed systems that send diagnostic data - GPO applied.
No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.
2. Manual apply DB update: Installing the new certificate. - Student Computers & HP Desktops.
Push the lates Windows Update to the target computers. If the certificate is updated by the windows updates, skip the following steps.
2.1 STEEM DESIGN - HP ProBook 440 14 inch G11 Notebook PC
ART - HP ZBook Firefly 14 inch G11 Mobile Workstation PC
STEEM Desktop - LENOVO ThinkStation P340
HP Desktops - HP Pro SFF 400 G9 Desktop PC
2.2 Push the following Powershell.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name "AvailableUpdates" -Value 0x40
Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”
2.3 Reboot the machine twice.
2.4 To Confirm the update is ready
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
If it is false, update isn't ready
2.5 Push the following PowerShell to update the Boot Manager on the device.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
2.6 Wait for 10 minutes.
2.7 Update the bios firmware if the certificate isn't updated. How to check it ? Follow the blew steps.

How to confirm that the certificate is updated successfully. You can use 1 or 2.
1. Go to Event Log > Windows Logs > System > Filter to find event ID 1799
2. Open CMD as "Administrator"

mount the EFI partitions. (mountvol s: /S)

Copy efi file to C:\ drive (copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi)

Right click the efi and select Properties > Digital Signatures > Select Microsoft Windows > Details >View Certificate

Once you see Boot Manager signed with Windows UEFI CA 2023, update is completed successfully.
Clean up Command
- del bootmgfw_2023.efi
- mountvol s: /d

If you have any questions, feel free to let me know.

Did you find it helpful? Yes No