Microsoft is set to initiate the rollout of new Secure Boot certificates through Windows Update starting in March 2026. This strategic update is aimed at millions of PCs, coinciding with the expiration of the original certificates from 2011, which will begin to phase out in June 2026 after serving over 15 years. This initiative underscores Microsoft’s commitment to maintaining robust security for users of Windows 11 and Windows 10 ESU.
What Is Secure Boot
To grasp the significance of this update, one must first understand the role of Secure Boot as a critical security feature. Introduced in 2011, Secure Boot acts as a protective barrier for Windows PCs, utilizing trusted certificates embedded in UEFI firmware to verify bootloaders. This process effectively prevents unauthorized applications from executing prior to the operating system’s launch, safeguarding systems from potentially harmful code. Given that many PCs manufactured since 2011 are equipped with Secure Boot, the impending certificate expiration will impact a substantial portion of Windows users. Additionally, Secure Boot is a prerequisite for Windows 11 installations and is leveraged by anti-cheat mechanisms in popular games such as Valorant and Call of Duty: Black Ops 6/7. The longevity of the original certificates highlights the foresight embedded within Windows’ security framework from its inception.
The Certificate Expiration Problem
Despite the solid foundation laid by Secure Boot, the certificates themselves are subject to an unavoidable expiration. The original certificates, which have been in place since the feature’s inception, will reach their end in June 2026. This marks a significant milestone, as it is the first instance of Secure Boot certificates expiring. The transition will see the introduction of four new certificates: Microsoft Corporation KEK 2K CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, and Windows UEFI CA 2023. These new certificates will replace the old ones, ensuring comprehensive coverage of the boot verification process.
Microsoft’s Solution
In response to this challenge, Microsoft has developed an automated strategy for distributing the new certificates. The updates for Windows 11 will incorporate the new certificate chain along with updated Windows Boot Manager binaries for eligible systems. The rollout of these new Secure Boot certificates is set to commence in March 2026, following preliminary distributions in February. Microsoft describes this update as a generational refresh of the foundational trust that modern PCs depend on during startup.
“The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup. Refreshing new certificates represents one of the largest coordinated security maintenance efforts across the Windows ecosystem, spanning Windows servicing, firmware updates, and millions of unique device configurations.”
Microsoft
This phased approach prioritizes devices with a proven track record of successfully accepting updates, thereby minimizing the risk of installation failures. By learning from previous Windows update experiences, Microsoft aims to create a controlled environment to validate the certificate installation process across various hardware configurations.
Who Gets Updated
Not every Windows user will receive the update simultaneously. Microsoft has established specific criteria for eligibility, focusing on high-confidence devices with strong update histories. Newer PCs sold from 2024 are already equipped with the 2023 Secure Boot certificates, and many devices manufactured since then come pre-installed with these new certificates. However, the update process will vary among different systems. While many PCs will receive the new Secure Boot certificates automatically via Windows Update, some will require additional firmware updates from their OEMs.
“Security is integral to everything we build at Dell Technologies, and Secure Boot safeguards are critical to maintaining device trust. We collaborated early with Microsoft’s engineering teams to prepare a smooth transition process for our customers.”
Rick Martinez
Dell’s proactive involvement highlights a broader industry collaboration among PC manufacturers to facilitate this transition. The necessity for separate firmware updates on certain devices illustrates the complexity of managing security across the Windows ecosystem, where Microsoft oversees the operating system while OEMs maintain firmware-level access. Notably, devices running unsupported versions of Windows will not receive the new certificates, leaving users without ESU coverage on Windows 10 at risk of exclusion from this critical security update.
The Stakes
The implications of failing to secure this update extend beyond mere inconvenience. PCs that do not receive the new certificates will still boot but will operate in a diminished security state, offering limited protection against emerging vulnerabilities. This degradation could weaken defenses against exploits targeting early boot code, potentially leading to failures in loading certain software, drivers, and newer Windows operating systems over time. The gaming community, in particular, has a vested interest in this update, as Secure Boot is integral to anti-cheat software in popular titles.
Boot-level attacks pose a significant threat, executing before traditional operating system defenses are activated, allowing malicious entities to embed themselves within system firmware. Ensuring valid certificates is essential for maintaining the integrity of the boot process. The gradual decline in security and functionality creates escalating risks for users who postpone updates. Beyond immediate security concerns, expired certificates may lead to compatibility issues with anti-cheat software and future Windows versions, compelling users to take action.
This intersection of security needs and functional requirements provides Microsoft with multiple avenues to encourage adoption. Users on unsupported Windows versions will find themselves permanently outside this protective framework. Collectively, these factors underscore the magnitude of Microsoft’s security maintenance initiative. The certificate refresh is a necessary evolution in PC security infrastructure, with automatic updates commencing in March 2026 to ensure that users of supported Windows versions receive protection seamlessly. For those still operating on unsupported systems, the June 2026 deadline signifies a critical juncture, where security guarantees will cease, ushering in an era of heightened risk.
