Microsoft is launching a major, ecosystem‑wide refresh of Secure Boot certificates as the original keys that have protected Windows PCs since 2011 approach their planned retirement in 2026. In a new Windows Experience Blog post, the company outlines how it is working with device makers to renew this cryptographic foundation before those certificates expire starting in late June 2026.
Why Windows Secure Boot certificates need to change
Secure Boot is a low‑level security feature that runs before Windows or Windows Server ever loads, ensuring that only trusted, digitally signed software is allowed to execute during the boot sequence. By enforcing this trust boundary in firmware, Secure Boot blocks untrusted bootloaders and early‑stage malware that can be extremely hard to detect or remediate once the operating system has started.
This trust model depends on certificates stored in a PC’s firmware, which act as cryptographic proof that boot components come from a trusted source. After more than 15 years of continuous use, the original 2011 Microsoft Secure Boot certificates are now nearing the end of their lifecycle and will begin expiring in June 2026, with additional expirations following later that year. Microsoft stresses that periodically retiring old certificates and introducing new ones is standard practice in modern cryptography, helping prevent aging credentials from becoming a weak point in the platform.
A massive coordinated update across the ecosystem
Because Secure Boot sits at the firmware level and touches how every PC starts, refreshing these certificates is one of the largest coordinated security maintenance efforts the Windows ecosystem has ever undertaken. The work spans Windows servicing, UEFI firmware updates, and millions of device configurations shipped by different original equipment manufacturers (OEMs) worldwide.
Microsoft says it has been working closely with firmware providers and OEMs on a standards‑based approach, adding new servicing capabilities and tools so that certificate updates can roll out gradually and be monitored for issues. Firmware improvements are also being delivered to ensure the new certificates can be applied safely, minimizing the risk of boot failures or bricked devices.
According to Microsoft, OEM partners have already been provisioning updated certificates on new devices, and many PCs built since 2024—and almost all devices shipped in 2025—include the new certificates out of the box. Those systems require no additional action from customers. OEMs have also published their own support pages with guidance on Secure Boot certificate updates and firmware requirements to help customers prepare.
What happens if certificates expire?
If a PC does not receive the new Secure Boot certificates before the 2011 keys expire, the device will continue to boot and existing software will keep working. However, Microsoft warns that the system will enter a degraded security state: it will lose the ability to receive future Secure Boot–level protections, and new mitigations for boot‑level vulnerabilities might not be installable.
Over time, this can also lead to compatibility problems, as newer operating systems, firmware, hardware, or Secure Boot‑dependent software may fail to load correctly on systems that only trust the old certificates. Devices running unsupported versions of Windows—such as Windows 10 after its end of support on October 14, 2025, unless enrolled in Extended Security Updates—do not receive regular Windows updates and will not get the new certificates. Microsoft continues to encourage customers to move to a supported version of Windows 11 to maintain both security and feature compatibility.
What users and organizations should do
For most home users and many businesses that allow Microsoft to manage updates, the new Secure Boot certificates are already being delivered through the regular monthly Windows quality updates. In these scenarios, no extra steps are typically required. The company notes that some specialized systems, such as certain servers or IoT devices, may follow different processes and should be evaluated as part of IT deployment planning.
On a small fraction of devices, especially older hardware, a separate firmware (BIOS/UEFI) update from the OEM may be required before Windows Update can successfully apply the new Secure Boot certificates. Microsoft recommends that customers proactively check their OEM support pages to ensure they have the latest firmware installed. In the coming months, Windows will also surface certificate‑update status inside the Windows Security app, giving consumers a clearer view of whether their device is ready.
For organizations, the new certificates are delivered through monthly updates when devices send sufficient diagnostic data to validate readiness. In environments where devices cannot be confidently validated this way—for example, tightly locked‑down or offline systems—Microsoft advises IT teams to use the Secure Boot IT administrator playbook and their existing management tools to deploy and monitor the updates manually.
Support channels and troubleshooting
Because of the sheer diversity of device models, firmware versions, and use cases, Microsoft acknowledges that a small number of systems may need additional help during the transition. If users run into issues, the company recommends first confirming that the latest Windows monthly updates are installed and then verifying that the most recent OEM firmware is applied.
If problems persist, personal and family account holders can contact Microsoft through online support and published phone support numbers, while enterprise customers should use their existing IT support channels. Microsoft has prepared both consumer and commercial support teams with guidance specifically for Secure Boot certificate updates, and points admins and advanced users to centralized documentation at aka.ms/GetSecureBoot and the Secure Boot Playbook.
A renewed root of trust for future Windows PCs
Microsoft characterizes this Secure Boot certificate refresh as a generational update to the root of trust that modern Windows PCs rely on every time they power on. By renewing the certificates now, the company aims to ensure future innovations in hardware, firmware, and operating systems can continue to depend on a secure, industry‑aligned boot process.
The blog emphasizes that security at this level is an ongoing responsibility shared between Microsoft and the broader PC ecosystem, not a one‑time fix. Through early planning, extensive testing, and close coordination with OEMs, Microsoft says it is focused on delivering an efficient, safe transition that gives customers the tools and visibility they need to navigate the change with confidence.
With the update already underway, Microsoft expects Secure Boot to remain a resilient security foundation for both existing Windows devices and the next generation of PCs. IT pros looking for deeper technical guidance or deployment checklists are encouraged to review the Secure Boot Playbook and related materials linked from Microsoft’s documentation hubs.
Recent Posts You Might Like
- Breakthrough Windows on Arm in Japan Momentum: How App Assure Boosts Copilot+ PC Compatibility
- Windows 11 Is Going Consent‑First and Secure By Default: Inside Microsoft’s New Baseline Security Mode and Extraordinary User Transparency Push
- Windows 11 February 2026 Patch Tuesday Lands Today With Glorious Android App Resume and Speedier File Explorer
- Microsoft Patch Tuesday February 10, 2026: Big Windows 11 Security Fixes And New Features Land
- Relooted Turns African Artifact Repatriation into the Smartest 2D Heist Game on Xbox Game Pass
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
