Mitigating Secure Boot Risks in 2026: A Comprehensive Guide

In June 2026 Secure boot certs start to going to expire for physical en virtual machines Servers en Clients. PS not only Windows but also Linux!!

PS. Make sure Client en Servers all installed with latest updates!!

Made a little Risk Assessment:

The expiration and replacement of Microsoft Secure Boot certificates pose a high risk to IT environments. If not properly managed, systems may fail to boot, updates may fail, and security risks may increase. This is particularly critical in automated and virtualized environments.

Key risks:

• Systems failing to boot after updates

• Incompatibility during OS or hypervisor upgrades

• Increased security risks due to outdated certificates

Recommended actions:

1.Update firmware and Secure Boot certificates

2.Test all workloads in a lab environment

3.Update golden images and automation pipelines

A phased rollout and proper validation are essential to prevent disruptions.

1. Scope

This document describes the risks, impact, and mitigations related to the expiration of Microsoft Secure Boot certificates in enterprise environments.

2. Affected Components

• Systems with UEFI firmware (Servers, Desktops, Virtual Machines)

• Microsoft UEFI CA certificates

• Operating Systems (Servers, Clients) (Windows, Linux)

• Automation tools like (Packer, MDT, SCCM)

3. Risk Analysis

Key risks:

• Incompatibility during upgrades

• Security vulnerabilities caused by outdated trust stores

• Errors in automation pipelines

• Firmware incompatibility

4. Risk Matrix

• Upgrade Issues: High

• Security Exposure: High

• Automation Failures: Medium

• Firmware Issues: High

5. Mitigations

• Update firmware on all systems

• Apply Microsoft Secure Boot updates

• Verify Event ID 1808

• Rebuild images with updated certificates

• Perform a phased rollout

6. Validation & Testing

• Test OS boot scenarios

• Validate Secure Boot status

• Verify automation pipelines

7. Conclusion

Changes to Secure Boot certificates must be treated as critical infrastructure updates. Proper preparation, testing, and phased implementation are essential to avoid disruptions.

.Microsoft has released patch’s for the following OS.

Windows 11 (23H2/24H2/25H2)
Windows Server 2016/2019/2022/2025.

VMware is creating a “Fix or Update” for this

* I did not test versions with extended support like Windows 2012 R2 and Windows 10.

Simplified Fix Secure Boot Script for Easy VM Updates

Get your list with:
Get-VM | Where-Object { $_.ExtensionData.Config.Firmware -eq “efi” -and

$_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled } | Select-Object Name,

@{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}}, PowerState

There is a updated coming from VMware by Broadcom: Check this article: @{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}}, PowerState

https://knowledge.broadcom.com/external/article/423893

Extra Info

Microsoft Info:

I hope that most People have Read: Windows Secure Boot certificate expiration and CA updates

and Secure Boot playbook for certificates expiring in 2026

Redhat:
Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments

Broadcom:
Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines

Manual Update of the Secure Boot Platform Key in Virtual Machines