Key Takeaways
1. Initial Secure Boot certificates from 2011 will start expiring in June 2026, with all expiring by October 2026.
2. Microsoft is rolling out new 2023 certificates through regular Windows updates, but some devices may require firmware updates from OEMs.
3. Devices will still boot normally after expiration, but will lose new protections related to the boot process and updates for vulnerabilities.
4. Microsoft is transitioning to new certificate authorities and signing updates for Secure Boot components, with guidance for managed devices to implement updates.
5. Users should not disable Secure Boot as a workaround, and additional resources for support and guidance are available from Microsoft.
Microsoft is alerting Windows users and IT administrators that the initial Secure Boot certificates that were issued back in 2011 will begin to expire in June 2026, with more expirations occurring through October 2026. The company has started to roll out new 2023 certificates to affected systems via regular Windows updates for many devices.
Important Updates
This information was shared in Microsoft’s Patch Tuesday release notes on January 13, 2026, for Windows 11 (KB5074109), specifically under the section titled “Windows Secure Boot certificate expiration.” Here, Microsoft highlights the June 2026 start date and directs users to resources for preparation.
On February 10, 2026, Microsoft also released KB5079373, which discusses what the expiration entails and confirms that most devices will receive updates automatically. However, some may need firmware updates from the original equipment manufacturer (OEM).
Booting After Expiration
Microsoft explains that devices that hit the expiration date will still boot as usual and continue to get standard Windows updates. The main change is that systems without the new certificates won’t gain new protections for the early boot process. This includes updates linked to Windows Boot Manager, Secure Boot databases, revocation lists, and fixes for any newly found vulnerabilities in the boot chain.
In a broader explanation regarding Secure Boot certificates (KB5062710), Microsoft similarly warns that while everyday usage might seem unaffected, affected machines will gradually lose protection as new threats at the boot level appear.
Transition to New Certificates
In its IT guidance, Microsoft lists three Secure Boot certificates that have been in use since the era of Windows 8 and Windows Server 2012, stating they will start to expire in June 2026 and will all be expired by October 2026.
Microsoft is transitioning devices to certificate authorities from 2023, including new sources for signing updates to the Secure Boot database and Windows boot components. Some environments might need to add separate 2023 certificates depending on what trust is required (like trust related to Option ROM).
Consumer and Managed Devices
For the majority of consumer PCs, Microsoft asserts that the new certificates should come through Microsoft-managed updates. However, it warns that some systems might need an OEM firmware update for the new certificates to be applied correctly. Microsoft also discourages users from disabling Secure Boot as a workaround.
For managed fleets, Microsoft’s guidance provides strategies to inventory, monitor, and implement the updates (including through Intune, Group Policy, and registry methods) before the June 2026 deadline.
Reports from third-party sources indicate that Microsoft is considering this a “generational refresh” of the boot trust chain, with updates now being delivered via regular Windows servicing for supported devices.
Source:
Link
Leave a Reply