Microsoft has announced plans to refresh its Secure Boot certificates for Windows systems starting in June 2026. This update is necessary as the existing certificates are approaching the end of their lifecycle.
Understanding Secure Boot’s Role
Introduced in 2011, Secure Boot has been a cornerstone of Microsoft’s security architecture, ensuring that only verified software runs from the moment a device is powered on. This protection is facilitated by digital certificates embedded in a device’s firmware. However, after more than 15 years of service, the current certificates will reach their expiration date in June.
Implementation of New Certificates
In line with best practices, Microsoft plans to phase out the old certificates and introduce new ones across all supported Windows versions through automatic updates. To facilitate this transition, the company has collaborated with firmware manufacturers to enhance update tools and capabilities, ensuring a smooth rollout.
According to Microsoft, devices released since 2024, and nearly all models shipped in 2025, already include the updated certificates, minimizing the need for user intervention. For most users and businesses utilizing automatic updates, the new certificates will be seamlessly integrated via the standard Windows update process.
Special Cases and Recommendations
Some specialized systems, such as certain servers or IoT devices, may require a distinct update approach. In some cases, a firmware update from the device manufacturer will be necessary before the new Secure Boot certificates can be applied through Windows Update. Microsoft advises users to check OEM support pages to confirm that their devices have the latest firmware updates.
Devices that do not receive the updated certificates by the expiration date will continue to function but may lack future boot-level security measures. As new vulnerabilities emerge, these systems could become more vulnerable due to an inability to implement new protections. This may also lead to compatibility issues with newer software and hardware.
Preparation and Future Outlook
Systems running on Windows 10 and older versions are not eligible for the new certificates unless enrolled in the Extended Security Updates program. Organizations are encouraged to review their systems as part of deployment strategies, validate update readiness, and use certificate monitoring tools. Ensuring devices are updated with the latest Windows updates and firmware is crucial.
Microsoft emphasizes a phased approach to the rollout, coordinated with ecosystem partners and informed by extensive testing. Despite these measures, a small number of devices may still require additional support during the update process, due to the diversity of models and usage scenarios.
The upcoming update is a critical step in maintaining robust cybersecurity measures, and Microsoft urges all users to prepare accordingly.
