Microsoft rolls out new Secure Boot certificates before June expiration

Source: Bleeping Computer

Microsoft has begun rolling out updated Secure Boot certificates through monthly Windows updates to replace the original 2011 certificates that will expire in late June 2026.

What is Secure Boot?

Secure Boot was introduced in 2011 to ensure that only trusted bootloaders can run on computers with UEFI firmware. By verifying the digital signature of the bootloader against a set of trusted certificates stored in the firmware, Secure Boot helps block malicious software—such as rootkits—from executing during system startup.

Certificate refresh timeline

• January 2024 – Microsoft first revealed plans to refresh the expiring certificates on eligible Windows 11 24H2 and 25H2 systems.
• November 2023 – A Microsoft alert warned IT admins to update the security certificates used to validate UEFI firmware before they expire.
• June 2026 – The original 2011 certificates reach the end of their planned lifecycle.

“After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle and begin expiring in late June 2026,” said Windows Servicing and Delivery partner director Nuno Costa.

How the new certificates are being deployed

• The new certificates are installed automatically via regular monthly Windows updates for devices that allow Microsoft‑managed updates.
• Many PCs manufactured since 2024—and the vast majority shipped in 2023—already include the updated certificates.
• Some devices may require a separate firmware update from the OEM before the new certificates can be applied; users should check the OEM’s support page for the latest firmware version.

Options for IT administrators

For high‑confidence devices that Microsoft has verified can update successfully, the certificate refresh occurs automatically. Administrators can also deploy the certificates manually using:

• Registry keys
• Group Policy settings
• Windows Configuration System (WinCS)

These methods help ensure that endpoints retain Windows Boot Manager and Secure Boot protections.

Impact of missing the update

Devices that do not receive the updated certificates before the June 2026 deadline will continue to function, but they will enter a degraded security state:

• Limited boot‑level protections
• No protection against attacks that exploit newly discovered vulnerabilities (because new mitigations cannot be installed)

Recommendation from Microsoft

Microsoft advises all customers to upgrade to Windows 11, which now powers more than a billion devices. Unsupported versions such as Windows 10 will not receive the new certificates.

“It’s important to note that devices running unsupported versions (Windows 10 and older, excluding those enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates,” Costa added. “We continue to encourage customers to always use a supported version of Windows for best performance and protection.”