certificate updates

Winsage
June 29, 2026
Major PC manufacturers, including HP, Dell, ASUS, Lenovo, MSI, Acer, Samsung, LG, and Microsoft’s Surface division, have provided guidance on transitioning to new Secure Boot certificates as the expiration of Microsoft’s 2011 certificates approaches. The expiration will occur in three phases: Microsoft Corporation KEK CA 2011 expired on June 24, 2026; Microsoft UEFI CA 2011 expired on June 27, 2026; and Microsoft Windows Production PCA 2011 is set to expire on October 19, 2026. Microsoft has begun rolling out replacement certificates through Windows Update, contingent on OEMs providing compatible BIOS updates. ASUS offers detailed documentation for both consumer and commercial devices, confirming that most users will receive updates automatically. Lenovo provides direct download links for BIOS updates organized by product family and specifies which products will not receive updates. Dell's support article covers its entire product lineup, noting that devices with an End of Service Life before January 1, 2026, will not receive updates. HP outlines a dual-track approach for updates, with specific timelines for commercial PCs. Microsoft's Surface devices receive updates directly from Microsoft, while MSI categorizes guidance based on processor generation for its laptops. Acer emphasizes backing up the BitLocker recovery key and provides a model table for confirmed BIOS release dates. Samsung confirms that all PCs running Windows 10 or 11 will function normally post-expiration, but security updates will cease. LG has released a guide for checking BIOS updates for its PCs. To verify if a PC has the 2023 certificates, users can check the Secure Boot section in Windows Security. A green checkmark indicates successful application, while yellow or red icons indicate pending updates or incompatibility. Microsoft has pushed the certificates to all eligible devices as of June 2026.
Winsage
May 26, 2026
Secure Boot is a security mechanism that authenticates firmware-based software through trusted certificates during the startup process of Windows, preventing unauthorized code execution. It is part of the UEFI firmware standard and was introduced in 2011 to allow only verified, signed code to run at startup. Microsoft first implemented Secure Boot certificates in 2011 as an optional feature in Windows 8, and it remained optional in Windows 10. However, it became a mandatory requirement with the launch of Windows 11 in 2021, indicating the widespread adoption of UEFI systems.
Winsage
May 21, 2026
Users have observed a new folder named “SecureBoot” in the Windows system folder following the installation of Windows 11's May update (KB5089549). This update may cause installation issues for some devices and introduces a directory that contains example scripts for IT professionals to manage Secure Boot certificate updates. Windows Secure Boot certificates are set to expire next month, and outdated certificates will lead to loss of support starting in June, potentially compromising Secure Boot functionality. Microsoft is distributing new certificates through Windows Update. The SecureBoot folder does not require individual users to take action, and deleting it is discouraged as it may cause complications with future Windows updates.
Winsage
May 10, 2026
Microsoft is implementing changes to Secure Boot certificates for Windows PCs, marking the first expiration since 2011. New certificates must be installed on all devices before a deadline in June. Users can check their status via the Windows Security App. The new certificates will be distributed through regular monthly security updates, with some users already receiving them in April and others expected to see changes in May. Following these updates, users may experience additional restarts on their PCs. The update applies only to PCs eligible for security updates, meaning many Windows 10 PCs will not receive the new certificates, potentially exposing them to risks. Affected users are advised to enroll in Microsoft’s Extended Security Update (ESU) program.
Winsage
May 5, 2026
Upon installing the April 2026 Patch Tuesday update, some users experienced two or three reboots, which Microsoft confirmed is intentional due to the installation of Secure Boot 2023 certificates. This behavior is expected for a limited number of devices and is part of the Secure Boot update process. The Secure Boot certificates are replacing older ones issued in 2011, set to expire in June 2026. Users can check their Secure Boot status in the Windows Security app, which indicates the status with green, yellow, or red badges. A green badge means the system is up to date, while yellow and red badges indicate issues with certificate updates. Microsoft is managing Secure Boot certificates on modern PCs, but older machines without OEM support may struggle to receive updates due to firmware limitations.
Winsage
April 22, 2026
Microsoft is set to expire the Secure Boot authentication certificates that protect Windows PCs from threats upon each restart, with this initiative beginning in April 2023. The update will install new certificates and confirm if user action is necessary, with all devices expected to have the update by the end of April 2026. Users can check their Secure Boot status in Windows Security, where a badge system indicates the status. If the certificates expire, users may be at risk of boot-level malware. Microsoft is enhancing visibility of Secure Boot certificate status to aid user awareness. Users should check their PC by the end of the month to ensure it is updated.
Search