Microsoft's original Secure Boot certificates from 2011 begin expiring in June 2026. Windows devices that still rely on these certificates will no longer receive security updates for boot components, leaving them out of compliance. To address this, Microsoft is rolling out new 2023 certificates for the UEFI Secure Boot Signature Database (DB). Administrators can deploy these certificates to domain-joined machines using Group Policy, PowerShell, or the Windows Configuration System (WinCS). This article covers the technical background, the registry-based deployment mechanism, and Microsoft's sample automation framework for enterprise rollouts.

Source

Microsoft Secure Boot certificates issued by the 2011 Certificate Authorities (CAs) are expiring starting June 2026. Every Windows device with Secure Boot enabled must be updated to trust the 2023 certificates before expiration to retain security update support. Microsoft provides a monitoring-only approach using Intune Remediations that runs a PowerShell detection script on enrolled devices and reports Secure Boot and certificate status back to the Intune admin center — without making any changes to devices. This article explains the prerequisites, deployment steps, data collected, and how to read the results.

Source

Microsoft's original Secure Boot certificates — issued in 2011 — begin expiring in June 2026. Unlike Windows 11, Windows Server does not receive these updates automatically via Windows Update. Administrators must manually deploy the 2023 replacement certificates to all applicable servers and Generation 2 virtual machines before the deadline. Systems that remain on the 2011 certificates after expiration enter a degraded security posture and cannot receive future Secure Boot updates.

Source

Microsoft Cloud PKI for Intune automates certificate management for enrolled devices, but you must manually handle the expiration of the certification authority (CA). When your Cloud PKI issuing CA approaches its expiration date, you need to create a new CA and update your SCEP certificate profiles to maintain uninterrupted service. This guide explains the expiration process, potential impacts, and the steps required to transition to a new issuing CA.

Source

Microsoft has initiated a critical security hardening phase for Windows Active Directory domain controllers to address CVE-2026-20833, a Kerberos vulnerability that enables Kerberoasting attacks by allowing attackers to exploit weak RC4 encryption. The January 2026 security updates mark the beginning of a phased transition that will disable RC4 encryption by default and enforce AES-SHA1 as the standard encryption method for Kerberos authentication.

Source

Microsoft has started automatically updating Secure Boot certificates on eligible Windows 11 systems with the January 2026 security update. The update replaces certificates that are set to expire in June and October 2026, ensuring devices maintain boot security and continue receiving critical updates. Learn what admins need to know.

Source

Microsoft 365 users face a critical bug in Classic Outlook that prevents recipients from opening encrypted emails. In Classic Outlook, trying to open an encrypted email shows a specific error message in the Reading Pane: "This message with restricted permission cannot be viewed in the reading pane until you verify your credentials. Open the item to read its contents and verify your credentials." This issue stems from a client-side regression in how Classic Outlook handles encryption settings, and Microsoft is currently investigating the problem.

Source

Microsoft introduced hardware-accelerated BitLocker to address the performance overhead of disk encryption on modern high-speed NVMe drives. This feature offloads cryptographic operations from the main CPU to dedicated crypto engines in the system-on-chip (SoC), improving performance and enhancing security.

Source