Secure Boot stands as a cornerstone of security within the Windows and Windows Server environments, safeguarding devices from the moment they are powered on. Since its inception in 2011, Secure Boot has operated at startup, prior to the loading of Windows, ensuring that only trusted, digitally signed software is permitted to execute. By intercepting untrusted code at the earliest phase of the boot process, Secure Boot fortifies defenses against sophisticated threats that may otherwise evade detection.
This trust is upheld through certificates embedded in a PC’s firmware. After more than 15 years of steadfast service, the original Secure Boot certificates are approaching the conclusion of their planned lifecycle, with expiration set to commence in late June 2026.
As the landscape of cryptographic security evolves, it becomes essential to periodically refresh certificates and keys to uphold robust protection. The retirement of outdated certificates and the introduction of new ones is a standard practice within the industry, aimed at preventing aging credentials from becoming vulnerabilities while aligning platforms with contemporary security standards.
New certificates have begun to roll out as part of the regular monthly Windows updates for supported Windows devices, catering to home users, businesses, and educational institutions utilizing Microsoft-managed updates. Organizations also retain the flexibility to oversee the update process independently using their preferred management tools.
Microsoft and device ecosystem preparation
The introduction of new certificates signifies one of the most extensive coordinated security maintenance initiatives across the Windows ecosystem, encompassing Windows servicing, firmware updates, and millions of unique device configurations supplied by hardware manufacturers, or original equipment manufacturers (OEMs), globally. Given that Secure Boot functions at the firmware level and influences how a PC initiates, meticulous preparation has been necessary to minimize disruptions while ensuring security and device reliability on a large scale.
This endeavor involved close collaboration with device manufacturers and firmware providers responsible for the Unified Extensible Firmware Interface (UEFI), adhering to a standards-based approach. Efforts also included enhancing servicing capabilities and tools to facilitate a gradual, monitored deployment, alongside firmware improvements to guarantee the safe application of certificate updates.
Our ecosystem partners play a pivotal role in the transition to the new Secure Boot certificates. OEMs have been equipping new devices with updated certificates, and many of the PCs produced since 2024, along with nearly all devices shipped in 2025, already incorporate these certificates, requiring no action from customers. OEM partners have also collaborated closely with our engineering teams to ensure that in-market devices can seamlessly apply the updates, providing their own guidance to assist customers in preparing for the transition. Insights from our OEMs offer further perspective:
“Security is integral to everything we build at Dell Technologies, and Secure Boot safeguards are critical to maintaining device trust. We collaborated early with Microsoft’s engineering teams to prepare a smooth transition process for our customers. We planned for real-world needs – from tightly managed fleets in regulated industries to resilient systems at the edge – so customers across use cases have a clear migration path. This complex, large-scale effort provides organizations with a well-supported Secure Boot transition that strengthens device security.” – Rick Martinez, Dell Fellow and Vice President, CTO Security, Dell Technologies.
“HP is working closely with Microsoft to ensure firmware updates are available so that all supported HP PCs running Windows 11 can adopt the new Secure Boot certificates before legacy certificates expire. We are also working closely with our customers to ensure that their business operations are not impacted and they are prepared with the right level of validation and controls. Our collaboration supports continued trust, minimizes disruption, and reinforces our joint focus on security.” – Vali Ali, HP Fellow and Chief Technologist, Security and Privacy, HP Inc.
“Preparing for the Secure Boot certificate expiration has been a coordinated effort between Lenovo and Microsoft across multiple teams. By working closely throughout the planning, testing, and rollout phases, we’re helping ensure customers stay protected, informed, and supported – without interruption to their business.” – Tom Butler, VP Worldwide Commercial Portfolio and Product Management, Lenovo PC.
What happens when the certificates expire?
If a device does not receive the new Secure Boot certificates before the expiration of the 2011 certificates, the PC will continue to operate normally, and existing software will remain functional. However, the device will enter a degraded security state, limiting its capacity to receive future boot-level protections.
As new boot-level vulnerabilities are identified, affected systems become increasingly vulnerable, as they will be unable to install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot-dependent software may fail to load.
It is crucial to note that devices running unsupported versions (Windows 10 and older, excluding those enrolled in Extended Security Updates) will not receive Windows updates and will not obtain the new certificates. We continue to advocate for customers to utilize a supported version of Windows for optimal performance and protection. For further information, please refer to Windows 11 Specs and System Requirements and note that support for Windows 10 ended on October 14, 2025.
What actions do users need to take?
For the majority of individuals and businesses that permit Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, requiring no additional action. However, certain specialized systems, such as specific server or IoT devices, may follow different update processes and should be assessed as part of deployment planning. For a small fraction of devices, a separate firmware update from the device manufacturer may be necessary before the system can apply the new Secure Boot certificates delivered via Windows Update. To prepare, we recommend customers check their OEM support pages to ensure they have the latest firmware updates.
In the upcoming months, users will find messages regarding the certificate update status available in the Windows Security App, allowing consumers to monitor the certificate updates more closely. For more details, refer to Windows devices for home users, businesses, and schools with Microsoft-managed updates.
For organizations, the new certificates will be delivered through the regular monthly Windows updates, provided that devices supply sufficient diagnostic data to validate readiness.
In scenarios where devices cannot be confidently validated through this approach, organizations should plan to deploy and monitor the new certificates using the IT administrator playbook and their existing management tools.
What is next and support
We are rolling out these new certificates in collaboration with our ecosystem partners through a careful, phased approach informed by extensive testing, a data-driven rollout, and coordination with device manufacturers. Despite this, given the diversity of device models, firmware versions, and usage scenarios, a limited number of devices may require additional support during the update process.
If individuals or organizations encounter issues, assistance is readily available. Here are the initial steps to take should you face a challenge:
- Ensure devices are running the latest monthly Windows updates.
- Check that the latest firmware version is installed by visiting your OEM’s support page.
- If these steps do not resolve the issue, contact support:
- Device owners using Windows Personal and Family accounts can leverage online support channels and phone numbers.
- Enterprise customers can rely on Microsoft’s existing IT support channels and documentation to facilitate a smooth update. For authoritative documentation and the latest guidance, visit aka.ms/getsecureboot.
Microsoft and device manufacturers have prepared both consumer and commercial support teams with specific guidance related to Secure Boot certificate updates and are poised to assist customers.
A secure foundation for the future
The Secure Boot certificate update signifies a generational refresh of the trust foundation that modern PCs depend on at startup. By renewing these certificates, the Windows ecosystem is ensuring that future innovations in hardware, firmware, and operating systems can continue to build upon a secure, industry-aligned boot process.
Security at this level is not a one-time event but an ongoing responsibility shared across Microsoft and the broader PC ecosystem. Throughout this initiative, we have valued the collaboration from device manufacturers and firmware partners to support an efficient and safe deployment. This collaboration has emphasized proactive planning, transparency, and the provision of visibility, tools, and guidance that customers need to navigate the transition with confidence.
With this update in progress, customers can anticipate that Secure Boot will remain a reliable and resilient security foundation for Windows devices, supporting both current systems and the next generation of PCs.
