Microsoft has begun deploying new Secure Boot certificates to Windows devices as the original certificates from 2011 approach their expiration date in late June 2026. This represents one of the largest coordinated security maintenance efforts across the Windows ecosystem, involving millions of devices and close collaboration with hardware manufacturers worldwide.
Understanding Secure Boot and Certificate Expiration
Secure Boot is a foundational security feature that protects Windows and Windows Server systems from the moment a device powers on. Running at startup—before Windows loads—Secure Boot ensures only trusted, digitally signed software can execute, blocking untrusted code at the earliest stage of the boot process.
This trust is enforced through certificates stored in a PC's firmware. After more than 15 years of continuous service, these original certificates are reaching their planned lifecycle end. As cryptographic security evolves, periodically refreshing certificates and keys is standard industry practice that prevents aging credentials from becoming security weak points.
Microsoft is rolling out new certificates through regular monthly Windows updates to in-support devices for home users, businesses and schools with Microsoft-managed updates. Organizations can also manage the update process themselves using their preferred management tools.
Ecosystem Collaboration and Device Preparation
The certificate refresh required extensive coordination with device manufacturers and firmware providers responsible for the Unified Extensible Firmware Interface (UEFI). This effort included adding servicing capabilities and tools to enable gradual, monitored deployment, plus firmware improvements to ensure certificate updates can be applied safely.
OEM partners have played a critical role in this transition. Many newer PCs built since 2024—and almost all devices shipped in 2025—already include the new certificates and require no customer action. Major manufacturers have shared their perspectives on this collaboration:
Dell Technologies: "Security is integral to everything we build at Dell Technologies, and Secure Boot safeguards are critical to maintaining device trust. We collaborated early with Microsoft's engineering teams to prepare a smooth transition process for our customers," said Rick Martinez, Dell Fellow and VP, CTO Security.
HP Inc: "HP is working closely with Microsoft to ensure firmware updates are available so that all supported HP PCs running Windows 11 can adopt the new Secure Boot certificates before legacy certificates expire," said Vali Ali, HP Fellow and Chief Technologist, Security and Privacy.
Lenovo: "By working closely throughout the planning, testing and rollout phases, we're helping ensure customers stay protected, informed and supported—without interruption to their business," said Tom Butler, VP Worldwide Commercial Portfolio and Product Management.
Impact of Certificate Expiration
If a device doesn't receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue functioning normally and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.
As new boot-level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot-dependent software may fail to load.
Devices running unsupported Windows versions (Windows 10 and older, excluding those enrolled in Extended Security Updates) will not receive the new certificates, as they don't receive Windows updates.
Required Actions for Users and IT Administrators
For most individuals and businesses allowing Microsoft to manage PC updates, the new certificates will install automatically through the regular monthly Windows update process with no additional action required. Some specialized systems like certain server or IoT devices may follow different update processes.
For a fraction of devices, a separate firmware update from the device manufacturer may be required before the system can apply the new Secure Boot certificates. Microsoft recommends checking OEM support pages to ensure the latest firmware updates are installed.
In coming months, messages about certificate update status will be available in the Windows Security App. For organizations, new certificates are delivered through regular monthly Windows updates where devices provide sufficient diagnostic data to validate readiness. In scenarios where devices cannot be confidently validated, organizations should use the IT administrator playbook and existing management tools.
Support Resources and Next Steps
Microsoft and device manufacturers are rolling out these certificates in a careful, phased approach informed by broad testing, staged deployment and coordination with manufacturers. If users encounter issues, they should:
- Ensure devices are running the latest monthly Windows updates
- Check that the latest firmware version is installed via OEM support pages
- Contact support if needed—device owners can leverage online support channels and phone numbers, while enterprise customers can use existing IT support channels
TL;DR
- Microsoft is rolling out new Secure Boot certificates before the original 2011 certificates expire in June 2026
- Most devices receive updates automatically through monthly Windows updates—no user action required
- Devices built since 2024 already include new certificates; check OEM support pages for firmware updates if needed
- Without updates, devices will function but enter degraded security state, unable to receive future boot-level protections
- IT administrators should review the Secure Boot Playbook and use existing management tools for deployment monitoring
Sources
- Windows Blog: Refreshing the root of trust - Microsoft Secure Boot Support Resources