Microsoft has begun rolling out updated Secure Boot certificates through monthly Windows updates to replace the original 2011 certificates that will expire in late June 2026.

Introduced in 2011, Secure Boot ensures that only trusted bootloaders can load on computers with UEFI firmware, helping block malicious software, such as rootkits, from executing during system startup by verifying its digital signature against a set of trusted digital certificates stored in the firmware.

Microsoft first revealed plans to refresh expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 systems in January, following a November alert warning IT admins to update the security certificates used to validate UEFI firmware before they expire.

"After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle and begin expiring in late June 2026," said Windows Servicing and Delivery partner director Nuno Costa on Tuesday.

"We've begun rolling out new certificates as part of the regular monthly Windows updates to in-support Windows devices for home users, businesses, and schools with Microsoft-managed updates. Organizations also have the option to manage the update process themselves using their preferred management tools."

Costa added that the certificate refresh represents "one of the largest coordinated security maintenance efforts across the Windows ecosystem," as it involves firmware updates across millions of device configurations from many hardware manufacturers and original equipment
manufacturers (OEMs).

The new Secure Boot certificates will be installed automatically via regular monthly updates for customers who allow Microsoft to manage Windows updates on their systems. Additionally, many PCs manufactured since 2024, and the vast majority shipped last year, already include updated certificates.

However, some devices may require separate firmware updates from manufacturers before applying new certificates, and Microsoft advised customers to check OEM support pages for the latest firmware versions.

Although Microsoft will automatically update high-confidence devices via Windows Update, IT admins can also deploy Secure Boot certificates using registry keys, Group Policy settings, and the Windows Configuration System (WinCS) to ensure that endpoints don't lose Windows Boot Manager and Secure Boot protections.

While devices that fail to receive updated certificates before June will continue to function normally, they will enter what Microsoft describes as a "degraded security state," with "limited" boot-level protections and no protection against attacks that exploit newly discovered vulnerabilities because they cannot install new mitigations.

Microsoft advised all customers to upgrade to Windows 11, which now officially powers more than a billion devices, as unsupported Windows versions like Windows 10 will not receive new certificates.

"It's important to note that devices running unsupported versions (Windows 10 and older, excluding those who have enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates," Costa noted. "We continue to encourage customers to always use a supported version of Windows for best performance and protection."