The foundational security certificates that support Windows Secure Boot, a feature first introduced over a decade ago, are approaching their expiration in mid-2026. This development has prompted Microsoft, along with leading PC manufacturers, to expedite their update initiatives across the global Windows ecosystem.
Originally created during the development of Windows 8 in 2011, these certificates are set to expire in June and October 2026. While this expiration will not cause millions of PCs to cease functioning overnight, devices that do not receive updated certificates may gradually encounter increasing security limitations and compatibility issues with newer operating systems, firmware, and hardware.
Microsoft officials have characterized this transition as a “generational refresh” of the trust infrastructure that secures the Windows boot process. Industry analysts view it as one of the most significant changes to Windows security since Secure Boot became a mandatory requirement with Windows 11 in 2021.
A Security Feature Born in the Windows 8 Era
Secure Boot was introduced alongside Windows 8 as part of Microsoft’s transition to UEFI (Unified Extensible Firmware Interface), which replaced the legacy BIOS system that had been in use for decades. This feature was designed to thwart rootkits and boot-level malware by ensuring that only trusted, digitally signed bootloaders can initiate the system.
Initially optional, Secure Boot saw increased adoption with Windows 10, but it was not until Windows 11 that it became a formal requirement. The certificates established in 2011, which validate bootloaders through the “Windows UEFI CA 2011” chain of trust, have remained unchanged for over a decade. Now, Microsoft is moving towards updated 2023-era certificates that reflect modern cryptographic standards and evolving threat models.
Nuno Costa, a program manager in Microsoft’s Windows Servicing and Delivery division, notes that systems failing to update before the expiration date “will continue to function normally,” but they will enter what Microsoft refers to as a “degraded security state.”
What Happens If You Don’t Update?
The risks associated with not updating are gradual rather than immediate. If a PC does not receive the new certificates before expiration:
- It will still boot and run existing software.
- It may be unable to install new boot-level security mitigations.
- It could eventually fail to install or boot newer operating systems.
- Future firmware, hardware, or Secure Boot–dependent tools may refuse to load.
Security researchers emphasize that the primary concern is patchability. Secure Boot relies on certificate-based revocation lists to block compromised bootloaders. If a device can no longer accept updates to those lists, newly discovered vulnerabilities could remain unaddressed at the firmware level.
“This isn’t about machines bricking overnight,” remarked an enterprise IT consultant familiar with the rollout. “It’s about long-term maintainability and trust. If your firmware trust anchor expires and isn’t renewed, you’re essentially frozen in time.”
Why the Change Is Happening Now
Certificate expiration dates are predetermined at the time of creation. The 2011 certificates were issued with a lifespan of approximately 15 years, which was standard practice at the time. Microsoft has been preparing its OEM partners for this transition for years. Major manufacturers, including Dell, HP, Lenovo, ASUS, and Microsoft, have already published guidance or firmware updates for supported systems.
Devices manufactured since 2024—and nearly all systems shipped in 2025—already come equipped with the new 2023 Secure Boot certificates embedded in their firmware. The primary challenge lies with older systems, particularly those originally shipped with Windows 8 or Windows 10.
How Most PCs Will Get Updated
For the vast majority of users running supported versions of Windows with Secure Boot enabled, the transition will occur automatically through Windows Update. UEFI-based systems store Secure Boot data within non-volatile RAM (NVRAM), a small region of firmware storage that persists between boots. Windows can update this NVRAM data without necessitating a complete BIOS rewrite.
However, complications may arise if:
- NVRAM is full or fragmented.
- Firmware contains update bugs.
- Secure Boot is disabled.
- The system is running an unsupported Windows version.
Linux systems utilizing LVFS (Linux Vendor Firmware Service) may also receive certificate updates through firmware tools, reflecting the broader industry impact beyond Windows environments.
How to Check If Your PC Is Updated
Microsoft recommends using PowerShell to verify the active Secure Boot database. To check if your PC is already utilizing the 2023 certificates:
- Open PowerShell or Terminal as Administrator.
- Run the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If it returns True, your system is already using the new certificate.
To check if the new certificates are embedded in firmware defaults:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
If this returns True, the updated certificates are built into your BIOS/UEFI firmware. Older systems may display “False” for the second check, indicating that a BIOS update could still be advantageous.
Systems Most at Risk
The systems most likely to encounter difficulties include:
- PCs running unsupported Windows versions.
- Devices not enrolled in Windows 10 Extended Security Updates (ESU).
- Machines with Secure Boot disabled.
- Enterprise-managed systems with restricted update policies.
- Older consumer laptops that no longer receive firmware updates.
Consumers using Windows 10 must enroll in Microsoft’s Extended Security Updates program to continue receiving relevant updates beyond general support timelines. Enterprise administrators face a more intricate scenario, as organizations often manage Secure Boot keys manually or deploy custom boot chains for various purposes. Such environments may require testing prior to certificate rotation.
BitLocker and Reset Considerations
In certain instances, users may need to reset Secure Boot keys within the BIOS to free up NVRAM space. However, systems employing BitLocker encryption require special attention. Resetting Secure Boot keys can trigger BitLocker recovery mode, so users should ensure they have their BitLocker recovery key accessible before making firmware changes. Failure to do so could temporarily restrict access to encrypted drives.
A Broader Industry Shift
The renewal of Secure Boot certificates affects more than just Windows PCs; UEFI Secure Boot is widely utilized across modern computing devices, including servers and select Linux distributions. Security experts highlight that this rotation signifies a broader industry movement toward shorter cryptographic lifecycles and more agile trust models. As firmware-level attacks grow increasingly sophisticated, the ability to revoke and replace compromised boot components becomes essential.
The Long-Term Outlook
For most consumers, the transition in June 2026 will be uneventful, provided their systems are fully updated. However, devices that fail to update may gradually lag behind, unable to adopt newer operating systems, receive boot-level mitigations, or interact seamlessly with modern hardware.
As Costa noted in Microsoft’s advisory, the certificate update “ensures that future innovations in hardware, firmware, and operating systems can continue to build on a secure, industry-aligned boot process.” This situation serves as a reminder that even the most inconspicuous components of the computing stack—like firmware certificates created 15 years ago—have lifecycles that eventually require attention.
For users, the best course of action is straightforward: keep Windows updated, install firmware updates when available, and verify that Secure Boot remains enabled. For IT departments, the upcoming months may necessitate audit checks, update validation, and careful coordination across fleets of devices. The clock is indeed ticking toward June.
