Key Highlights:

• Microsoft starts rolling out new Secure Boot certificates via Windows Update.
• Original 2011 certificates expire in late June 2026.
• Devices without updates may enter a degraded security state.
• Most Windows 11 PCs will update automatically.

Microsoft has begun updating Secure Boot certificates across Windows devices ahead of a major expiration deadline in June 2026. The move ensures PCs continue receiving boot-level protections. Without the update, systems may lose future security safeguards.

Secure Boot has protected Windows devices since 2011. Now, its original trust certificates are nearing end of life.

What Is Secure Boot and Why Does It Matter?

Secure Boot is a firmware-level security feature. It runs before Windows loads. It allows only trusted, digitally signed software to start during boot.

This early verification blocks rootkits and boot-level malware. Because attacks at this stage are hard to detect later, Secure Boot acts as the first line of defense.

Trust is enforced using certificates stored in device firmware. However, the original 2011 certificates begin expiring in late June 2026.

What Happens When Secure Boot Certificates Expire?

If a device does not receive the new certificates, it will still run normally. Existing software will continue to work.

However, the system enters a degraded security state. It cannot install future boot-level mitigations. Over time, that increases exposure to new vulnerabilities.

Additionally, compatibility problems may appear. Newer operating systems, firmware, or hardware that rely on updated Secure Boot protections may fail to load.

Devices running unsupported Windows versions, including Windows 10 systems not enrolled in Extended Security Updates, will not receive the new certificates.

How Is Microsoft Rolling Out the Secure Boot Update?

Microsoft is delivering the new Secure Boot certificates through regular monthly Windows updates. Most home users, businesses, and schools using Microsoft-managed updates require no action.

However, some systems may need firmware updates from OEMs before applying the new certificates.

Major manufacturers including Dell, HP, and Lenovo collaborated closely during testing and rollout. Many devices shipped since 2024 already include updated certificates. Almost all 2025 devices require no action.

Organizations can manage deployment using their existing IT tools. Microsoft also plans to show certificate update status inside the Windows Security app in the coming months.

What Should Users Do Now?

First, ensure devices run the latest monthly Windows updates.
Second, check your OEM support page for the latest firmware version.

If issues arise, Microsoft and device manufacturers have prepared support teams.

A Generational Security Reset

This Secure Boot certificate refresh marks a large-scale trust reset across the Windows ecosystem. It affects firmware, operating systems, and millions of device configurations.

Security at boot level is not static. Certificates must evolve with modern cryptographic standards.

By renewing Secure Boot foundations now, Microsoft aims to maintain long-term device trust beyond 2026.