Microsoft has warned that the original Secure Boot certificates, introduced in 2011, will expire in June and October 2026, potentially leaving some PCs in a degraded security state. The company is rolling out updates via Windows Update for supported systems to install new certificates and maintain boot-level protections. Users of Windows 11 and enrolled Windows 10 devices should check for these updates soon.
Secure Boot, a feature introduced with Windows 8 to verify PC bootloaders and prevent unverified software from loading at startup, has relied on certificates dating back to 2011. These certificates are set to expire in June and October 2026, as highlighted in a recent Microsoft blog post by Nuno Costa, a program manager in the Windows Servicing and Delivery division.
Without the new certificates, affected devices will continue to operate normally with existing software, but they will enter a degraded security state. This limits their ability to receive future boot-level protections against newly discovered vulnerabilities. Over time, such systems may face compatibility issues with newer operating systems, firmware, hardware, or Secure Boot-dependent software that relies on the updated 2023-era certificates.
"If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running," Costa wrote. He added that the update represents "a generational refresh of the trust foundation that modern PCs rely on at startup."
Microsoft is providing the new certificates through Windows Update for supported versions: Windows 11 (version 24H2 or 25H2) and Windows 10 devices enrolled in the Extended Security Updates (ESU) program. Unsupported Windows versions will not receive them. The refresh process begins in March 2026 for eligible users, with many systems from 2024 and nearly all from 2025 already including the certificates in their firmware.
To verify if a PC has the new certificates, users can run a PowerShell command as administrator: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'). A "true" result indicates the active database uses the updated certificate. Additional steps include ensuring Secure Boot is enabled, checking for firmware updates from OEMs like Dell, HP, Lenovo, or Asus, and having a BitLocker recovery key ready if encryption is active. For older PCs, resetting Secure Boot keys in the BIOS may free up NVRAM space.
Microsoft has collaborated with major PC makers to prepare for this transition, which it describes as a standard industry practice to align with modern security standards. IT organizations have been informed since last year, and home users can seek support through Microsoft's services.
