Microsoft is refreshing Secure Boot certificates to plug security holes before they happen — if you bought a PC last year, you should be set

Source: Tom’s Hardware

Image credit: Microsoft

Secure Boot Certificate Refresh

Microsoft is issuing new Secure Boot certificates to Windows PC users because the original certificates, which have a 15‑year lifespan, are set to expire in June 2026. The new certificates are being rolled out through Windows updates for personal users, businesses, and schools, allowing Microsoft to manage the updates centrally.

Secure Boot runs at startup, before Windows loads, and uses cryptographic keys to verify that only trusted software can execute. In a blog post, Nuno Costa, partner director for Windows servicing and delivery, explains:

“Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.”

Impact on Recent PC Purchases

If you bought a PC in 2025, you are likely already covered. Costa notes that Microsoft has been collaborating with OEM partners, who have been obtaining new certificates since 2024. Machines from OEMs released in 2024 and “almost all” systems shipped in 2025 already include the new Secure Boot certificates. Therefore, owners of the best ultrabooks or best gaming laptops should be in the clear.

Consequences of an Expired Certificate

If a certificate expires, the PC will continue to function, but its security posture will be weakened. Costa adds:

“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”