Endpoint Services, MECM, Windows Secure Boot Certificate Rotation

Systems

Microsoft Endpoint Configuration Manager (MECM)

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

What is happening?

About 15 years ago, Secure Boot was made available on Windows operating systems to establish a secure chain of trust from the hardware up through the operating system, using cryptographic signatures along the way to verify code integrity. As part of this chain of trust, the UEFI firmware of the system needed to be seeded with a trusted root certificate upon which a chain of certificates for signing the bootloaders and kernels could be established.

On June 26, 2026, the original Microsoft Secure Boot certificate authority (CA) chain will begin expiring. To maintain the ability to receive and trust future Secure Boot-related updates, systems must transition to the newer 2023 Secure Boot certificate chain. Systems that do not transition before the certificates expire will continue functioning normally; however, they will be unable to accept critical security updates for Windows boot components signed with the new certificate chain.

Microsoft has also identified a second Secure Boot certificate expiration event occurring in October 2026. The same remediation process described in this communication addresses both events.

To help campus IT units prepare, Endpoint Services has created a MECM configuration baseline that can audit and optionally remediate systems to proactively facilitate certificate rotation.

For additional details, the following Microsoft documentation is available:

• When Secure Boot certificates expire on Windows devices - Microsoft Support
• Act now: Secure Boot certificates expire in June 2026

What do I need to do?

1. Within the MECM console, deploy the "Secure Boot - UEFICA2023Bundle" baseline to a collection for the express purpose of rolling out the rotation to the new certificates. You can gradually include collections of endpoints as you test and verify interoperability between the hardware and new certificates.
   • You can choose not to enable remediation if you want to first gather telemetry; or enable remediation to facilitate configuration changes to allow Windows to update the certificate stores on systems. 
   • While newer firmware from manufacturers may already include the new certificates, Microsoft Update can inject the certificate into the active database and transition Windows to using the new certificate before the expiration of the old one. This behavior is dependent on telemetry data gathered by Microsoft, so results can vary by make and model.
2. Audit endpoint readiness/transition progress using the "Secure Boot Cert Readiness by Collection" report to visually see the state of progress for each endpoint. The report will shade cells green where compliance is achieved, or yellow where systems are non-compliant and further effort may be necessary to achieve readiness.

2. • The most important columns are:
     • "Secure Boot State" - indicates if the endpoint is configured to use Secure Boot.
     • "2023 CA Cert Installed or In-Progress" - indicates if Windows is configured to allow Microsoft Update to install the new certificates in UEFI
     • "Bootloader using 2023 CA" - indicates if the bootloader for Windows is using the new certificate for its signature.
   • The other columns may or may not be relevant depending on if the manufacturer's firmware already includes the new certificate chain.

Need Assistance? 

If you have questions about this transition or need assistance evaluating readiness within your environment, please contact Endpoint Services at https://go.illinois.edu/MECMHelp.

Additionally, if remediation is enabled but systems are not progressing toward compliance, Endpoint Services can assist with identifying blockers and potential remediation steps. We expect most mainstream hardware platforms to transition successfully with minimal intervention.

Contact the EPS team