Secure Boot Certificate Rotation
TridentStack Control reports each Windows endpoint's status against Microsoft's 2026 Secure Boot certificate rotation. This page explains what the rotation is, why it matters, and how to read the four states you will see.
What is changing
Microsoft's existing Secure Boot certificate authorities, the Microsoft Corporation UEFI CA 2011 and Windows Production PCA 2011, expire in mid-2026. Devices that do not receive the new Windows UEFI CA 2023 certificate will stop receiving boot-level security updates after the deadline.
Where to see status in TridentStack Control
- Dashboard. A "Secure Boot Certificate Status" tile shows how many endpoints still need the update. It auto-hides once everything is up to date.
- Agent details, System State tab. A "Firmware & Security" panel shows each endpoint's current state, with a callout when action is required.
- Agents list. Add the "Secure Boot" column from the column manager to see fleet-wide status at a glance.
What the four states mean
| State | Meaning |
|---|---|
| Updated | The endpoint has the new certificate. No action required. |
| In Progress | Microsoft's update is currently being applied. The process takes multiple reboots and typically completes within 48 hours. |
| Not Started | The endpoint has not received the new certificate yet. Microsoft applies the rotation gradually; if you would like to speed up your fleet, see Speed up rollout. |
| Not Applicable | The endpoint does not use Secure Boot (BIOS firmware, or Secure Boot disabled). No action. |
What you should do
For most customers, the answer is "wait". Microsoft is rolling this out automatically and tightly controls the rollout for safety. If you want to accelerate the rotation across your fleet, see Speed up rollout.
What TridentStack Control does not do
TridentStack Control does not write firmware or modify Secure Boot variables. The actual certificate update is performed by Windows itself, gated by Microsoft's own rollout safety checks. TridentStack Control reports status only.