Microsoft is taking proactive steps to enhance firmware-level security across its Windows ecosystem by refreshing Secure Boot certificates ahead of their expiration in June 2026. This initiative is crucial for maintaining robust boot protections on supported Windows devices, ensuring that users continue to benefit from a secure computing environment.
As part of this transition, most systems will automatically receive the new certificates through Windows Update. However, certain older or specialized devices may necessitate firmware updates from the original equipment manufacturer (OEM) to avoid a decline in security status. Devices that do not receive the update will still boot, but they will gradually lose access to critical boot-level mitigations and future compatibility improvements.
How the rollout of new Secure Boot certificates works
The deployment of the new Secure Boot certificates has already commenced, coinciding with the regular monthly Windows updates for supported versions of Windows. This rollout is applicable to home users, businesses, and educational institutions utilizing Microsoft-managed updates. Organizations that prefer to manage updates independently can leverage their existing tools, such as Group Policy and enterprise management platforms, to control the process.
This initiative extends beyond a simple Windows update. Given that Secure Boot functions at the firmware level, Microsoft has collaborated closely with OEMs, firmware vendors, and the broader UEFI ecosystem to ensure a seamless transition at scale. Many devices produced since 2024, and nearly all systems shipped in 2025, are already equipped with the updated certificates, requiring no additional action from administrators.
For a limited number of systems, a firmware update from the device manufacturer may be necessary before the new certificates can be implemented. Microsoft recommends that organizations consult OEM support documentation and verify that devices are operating with the latest firmware.
What happens if systems aren’t updated with the new Secure Boot certificates?
Devices that fail to receive the refreshed Secure Boot certificates prior to the expiration of the old ones will continue to function normally. However, they will enter a degraded security state. While existing protections will remain intact, these systems will be unable to adopt new Secure Boot mitigations as additional vulnerabilities are identified.
Over time, this could heighten exposure to emerging threats and potentially lead to compatibility issues with newer operating systems, firmware updates, hardware, or software reliant on Secure Boot. Notably, unsupported operating systems, including Windows 10 systems not enrolled in Extended Security Updates, will not receive the new certificates.
What IT admins should do now
For most organizations, the primary focus should be on validation rather than intervention. It is essential to ensure that Windows Update or the chosen update management solution is effectively deploying the latest monthly updates. Additionally, confirming that device firmware is current, especially for older hardware or specialized systems such as servers and embedded devices, is crucial.
Microsoft characterizes this effort as a vital refresh of the platform’s root of trust. For IT teams, it serves as a reminder that firmware-level security is no longer a “set it and forget it” aspect of Windows defense, but rather an integral part of the modern patching lifecycle.
