Windows Secure Boot Certificates

Microsoft is changing how Windows handles Secure Boot updates before long-used boot certificates start expiring in June 2026. (support.microsoft.com) Secure Boot is the check that runs before Windows starts, using certificates stored in a PC’s firmware to confirm the boot software is trusted. Microsoft says the original Secure Boot certificates shipped broadly since 2011 begin expiring in June 2026, with expirations continuing through October 2026. (support.microsoft.com) Microsoft’s replacement is a new set of 2023 certificates delivered through Windows Update, with some devices also needing an original equipment manufacturer firmware update to apply them correctly. Microsoft says most personal Windows devices should receive the new certificates automatically, while managed fleets may require administrator action. (support.microsoft.com) Starting in April 2026, Windows Security began showing a new Secure Boot status page under Device security so users and administrators can see whether the certificate update has landed. Microsoft published separate guidance for consumers and information technology administrators on April 2, 2026, describing the new status messages. (support.microsoft.com) Microsoft has framed the change as a trust refresh rather than a mass boot failure deadline. Its support guidance says devices that have not yet received the 2023 certificates will still boot normally and continue getting standard Windows updates. (support.microsoft.com) The risk is narrower and more technical: Microsoft says some third-party components that depend on Microsoft Secure Boot trust may fail to update if they need newer certificate entries. That is why the company has been telling organizations to follow a staged update process instead of treating this like a routine Patch Tuesday install. (support.microsoft.com) Microsoft’s Windows IT Pro team called the project “one of the largest coordinated security maintenance efforts across the Windows ecosystem,” spanning Windows servicing, firmware updates and hardware makers worldwide. The company said in November 2025 that the first tools and steps were already available so administrators could update certificates before the June 2026 deadline. (techcommunity.microsoft.com, blogs.windows.com) Forbes reported on April 22 that Microsoft had adjusted its public guidance and was targeting an update “by end of April” as the rollout moved into its visible phase inside Windows Security. Microsoft’s support pages now direct users to check that status screen rather than assume every machine has already been updated. (forbes.com, support.microsoft.com) For home users, Microsoft’s message is mostly to keep Windows Update on and check the Secure Boot section if prompted. For administrators, the deadline is more concrete: confirm certificate status, test any required firmware updates, and finish the trust refresh before the 2011 certificates start aging out in late June. (support.microsoft.com, support.microsoft.com)