Windows Secure Boot Certificates Are Expiring — What You Need to Know
Windows Secure Boot Certificates Are Expiring — What You Need to Know
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Windows Secure Boot Certificates
Are Expiring — What You Need to Know
After 15 years of continuous service, the cryptographic certificates underpinning Windows’ boot-time security begin expiring in June 2026. Here is what is happening, why it matters, and what action — if any — you need to take.
Microsoft has been rolling out new Secure Boot certificates since early 2026, replacing cryptographic credentials first issued in 2011. The old certificates will begin expiring in late June 2026 — triggering potential security gaps on any Windows device that has not yet received the updated credentials.
What Is Secure Boot?
Secure Boot is a security standard built into the UEFI (Unified Extensible Firmware Interface) firmware of modern PCs. When a device powers on — before the operating system even loads — Secure Boot checks the digital signature of every piece of boot software against a database of trusted cryptographic certificates. If anything fails verification, it is blocked from running.
This matters because the very earliest stage of system startup is a prime target for sophisticated malware, such as bootkits and rootkits. By enforcing trust at the firmware level, Secure Boot prevents malicious software from embedding itself below the reach of conventional antivirus tools — a technique exploited by threats like BlackLotus, a UEFI bootkit discovered in 2022 that can survive operating system reinstalls.
The entire system of trust relies on Certificate Authorities (CAs) — cryptographic keys managed by Microsoft, device manufacturers (OEMs), and their partners. Like any digital certificate, these have defined lifespans. The 2011-era certificates, which have served as the foundation of Windows Secure Boot for over a decade and a half, are now approaching the end of that planned lifecycle.
The Timeline of the Update
Microsoft quietly made the new Microsoft Windows UEFI CA 2023 certificate available as an optional update for Secure Boot-enabled devices.
January cumulative updates began automatically pushing the new certificate to the first wave of “high confidence” consumer and enterprise devices.
Microsoft expanded the update to a larger device set and published detailed guidance explaining the consequences of certificate expiration. Media coverage began.
Windows Security now displays real-time Secure Boot certificate status under Device Security → Secure Boot, giving users a visible indicator of their update state.
Yellow caution badges and out-of-app system notifications begin appearing on devices that still require the update, particularly those blocked by firmware limitations.
The 2011-era certificate authorities start to expire. Devices without the 2023 certificates lose the ability to receive new boot-level security protections.
Devices that have not received the new certificates will be unable to receive security fixes for Windows Boot Manager going forward.
What Happens If Your Device Is Not Updated?
This is where nuance matters. The consequences are serious but not immediate catastrophic failure:
Your computer will still start up and run. Existing software will continue to function. Standard Windows updates — for applications, drivers, and most security patches — will still install as usual.
Devices without the updated certificates will no longer receive security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot signature databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities.
In plain terms: if a new bootkit vulnerability emerges after June 2026, unpatched devices will have no way to receive the firmware-level fix. They will remain permanently exposed to that class of attack.
“Devices that haven’t received the newer 2023 certificates will continue to start and operate normally… However, these devices will no longer be able to receive new security protections for the early boot process.” — Microsoft Support Documentation, 2026
Who Is Affected?
The update applies broadly across the Windows ecosystem. The following systems are in scope:
- Windows 11 (all supported versions)
- Windows 10 (devices enrolled in Extended Security Updates only; standard Windows 10 support ended October 14, 2025)
- Windows Server 2012 / 2012 R2 / 2016 / 2019 / 2022 / 2025
- Virtual machines (VMs) running supported Windows versions
- IoT devices and some specialized server environments (may require manual update steps)
- Linux systems dual-booting with Windows (Windows will update the shared Secure Boot certificates)
Devices running Windows 10 or older without Extended Security Update enrollment will not receive the new certificate via Windows Update. Microsoft strongly urges migration to Windows 11.
What Most Users Need to Do: Nothing
For the overwhelming majority of home users and businesses using Microsoft-managed Windows Update, the new certificate is being delivered automatically as part of the regular monthly update cycle. No special action is required beyond keeping your device up to date and connected to the internet.
Devices manufactured since 2024 are particularly well-positioned: most already ship with the 2023 certificates pre-installed by the OEM, meaning no update action is required at all.
When You May Need to Take Action
Firmware Updates from Your Device Manufacturer
Some devices require a firmware (UEFI) update from the original equipment manufacturer before the new Secure Boot certificate can be successfully applied. Microsoft advises checking with your OEM for any available firmware updates and installing these first, since firmware is the foundation on which the Secure Boot certificate update depends.
Servers, IoT Devices, and Air-Gapped Systems
Certain server configurations, IoT deployments, and systems that do not receive standard Windows updates (such as air-gapped networks) require a separate, manual update process. Enterprise administrators should consult the official Secure Boot Playbook published by Microsoft and bookmark aka.ms/GetSecureBoot as the central resource for tooling and step-by-step guidance.
Enterprise Administrators
Organizations managing large device fleets should treat June 2026 as a hard deadline, with priority given to domain controllers, high-sensitivity endpoints, and servers. Microsoft’s enterprise tooling — including Windows Update for Business and device management platforms — supports controlled, staged rollouts. A readiness survey and automated deployment guidance are available through the IT Pro Blog resources.
- Confirm all critical devices are receiving Windows Update automatically
- Check OEM websites for available UEFI firmware updates for your device models
- In Windows Security → Device Security → Secure Boot, verify the certificate status indicator (available from April 2026)
- For servers and IoT: consult the Secure Boot Playbook at aka.ms/GetSecureBoot
- Target full fleet update completion before June 2026
A Note on the “15-Year” Framing
Coverage of this update has prominently featured “first update in 15 years” language. This framing, while attention-grabbing, requires a small clarification: Secure Boot certificates have always carried expiration dates, and incremental updates to the certificate infrastructure have occurred over the years. What makes this event significant is its scale — this is the first wholesale, ecosystem-wide replacement of the foundational certificate authorities that every Windows device relies upon, requiring coordination across Microsoft, hundreds of OEMs, firmware vendors, and enterprise IT teams simultaneously.
The original 2011 certificates were issued when Windows 8 was being developed, before Secure Boot was publicly deployed. Their replacement after 15 years of service is a planned cryptographic lifecycle event, not a response to a specific breach or vulnerability. It is, however, one of the most complex infrastructure maintenance operations in Windows history.
Bottom Line
For most people reading this — keep Windows updated, and you are covered. The update is designed to be invisible for the vast majority of users. For IT administrators and enterprise teams, June 2026 is a real and firm deadline that deserves attention now, not in May. The consequences of missing it are not immediate system failure, but a permanent reduction in boot-level security posture that cannot be remedied after the certificates expire.
Keep Windows Update enabled and your system connected. Check for OEM firmware updates if you manage older devices. Enterprise admins: audit your fleet now and target completion before June 2026. Visit aka.ms/GetSecureBoot for Microsoft’s official tooling and playbook.
