Microsoft sets June 26 deadline for Secure Boot certificate changes in Windows 11

Secure Boot is the part of a PC that decides what gets trusted before Windows even starts. That matters because bootkits and other low-level malware try to get in before the operating system can defend itself. Microsoft has been using the same Secure Boot certificates since the Windows 8 era, and those 2011 certificates start expiring in June 2026. (support.microsoft.com) This week’s Windows 11 Patch Tuesday didn’t create that deadline — but it did widen the automatic rollout of the replacement certificates and make the clock feel very real. (support.microsoft.com) ### What actually expires in June? Not Windows itself. Not your license. The expiring piece is the Microsoft certificate chain stored in firmware and used by Secure Boot to verify boot software. Microsoft says those original 2011 certificates begin expiring in June 2026, and the replacement set was issued in 2023. (support.microsoft.com) ### Why does that matter if the PC still boots? Because the catch is serviceability. Microsoft says devices that miss the certificate refresh should still start normally and keep getting standard Windows updates. But those machines won’t be able to receive new protections for the early boot process — things like Boot Manager security updates, Secure Boot database changes, revocation lists, and mitigations for newly discovered boot-chain flaws. (support.microsoft.com) ### What changed this week? The May 12 cumulative updates for Windows 11 — KB5089549 for versions 24H2 and 25H2, and KB5087420 for 23H2 — added what Microsoft calls more “high confidence device targeting data.” Basically, Windows Update is now better at deciding which eligible devices should get the new Secure Boot certificates automatically. Microsoft also says the rollout stays phased, and a device gets the certificates only after showing enough successful update signals. (support.microsoft.com) ### Is this the “one-time restart” people are talking about? Sort of — but that phrase needs context. Some Secure Boot-related updates need a reboot to finish because they touch boot components, and Microsoft’s broader guidance has been telling users and admins to get updated well before expiration. But the official support pages frame this as a staged certificate and firmware transition, not a single universal June 26 reboot event for every Windows 11 PC. (support.microsoft.com) ### How do home users know where they stand? Microsoft added clearer status messaging to the Windows Security app starting in April 2026. Under Device security > Secure Boot, users can now see whether the machine is fully updated, not yet updated, or needs attention. One useful nuance — a green check by itself is not enough. Microsoft says the text should explicitly say all required certificate updates have been applied. (support.microsoft.com) ### Why are IT teams more exposed here? Because fleets are messy. Microsoft’s enterprise guidance puts the burden on admins to test firmware, monitor rollout, verify Secure Boot state, and handle exceptions. Some systems may also need OEM firmware updates before the new certificates can be applied properly. That means the real work is not just patching Windows — it is coordinating Windows Update, firmware support, BitLocker behavior, and maintenance windows across a mixed device estate. (support.microsoft.com) ### Are any devices unaffected? Microsoft says Copilot+ PCs released in 2025 are not affected by this specific certificate rollover. But a wide range of older physical and virtual Windows systems are in scope, including supported Windows 10, Windows 11, and several Windows Server releases. (support.microsoft.com) ### What should people do now? If you are a regular user, the answer is simple — stay current on Windows updates and check the Secure Boot status page. If you manage devices, the answer is less simple: verify Secure Boot is enabled, confirm firmware support from OEMs, and don’t assume every machine will update itself cleanly. The bottom line is that June 2026 is not a cliff where Windows stops booting. It is the point where unprepared machines start falling behind on the security that protects the boot process itself. (support.microsoft.com) (techcommunity.microsoft.com) (support.microsoft.com)