Microsoft Warns of Expiring Secure Boot Certificates, Potential Security Impact
Microsoft has issued warnings regarding the upcoming expiration of Secure Boot certificates originally released in 2011, with the deprecation process beginning in June 2026. These certificates, crucial for verifying the integrity of a device’s boot process, are being superseded by a newer set of 2023 certificates. The move aims to maintain protection against evolving boot-level threats, a critical aspect of modern cybersecurity.
Secure Boot helps ensure that a device starts using trusted software, preventing malicious code from loading before the operating system. According to Microsoft’s support documentation, most personal Windows devices will automatically receive the updated certificates through standard Windows Updates. However, some systems, particularly those managed by organizations, may require an additional firmware update from their Original Equipment Manufacturer (OEM).
The certificates will begin expiring in June 2026 and continue through October 2026, as reported by CNET. While devices won’t immediately stop functioning after the expiration date, they will gradually lose key security protections. Specifically, they will no longer receive updates for the early boot process, including Windows Boot Manager, Secure Boot databases and revocation lists.
“If your device reaches the expiration date without the new certificates, it will still start and operate normally,” Microsoft stated. “Standard Windows updates will continue to install.” However, the company cautions that scenarios relying on Secure Boot trust – such as BitLocker hardening or third-party bootloaders – may be affected if they require updated certificates.
The update primarily impacts Windows 10 (version 1607 or later) and Windows 11. Users on older versions of Windows, or those not enrolled in the Extended Security Updates program for Windows 10, may not receive the necessary updates. Windows Central notes that PCs shipped since 2024 likely already have the updated certificates.
Microsoft emphasizes that the update process is largely automated. However, the expiration of these foundational security components underscores the ongoing need for proactive security measures in the face of increasingly sophisticated threats. The company is leveraging Windows Update to deliver the new certificates, but OEM firmware updates may be necessary for some devices to ensure full compatibility and continued protection.
