In June 2025, Microsoft announced that, in June 2026, it would begin deprecating Secure Boot certificates of Windows systems from 2011, which were superseded by their 2023 counterparts.
As the clock counts down, it’s time to do some housecleaning to prevent potential issues later this year. If you have a system managed by your company or school, your system administrators should be handling the process, which is different than for personal computers.
What are the certificates for?
Together, these four certificates verify that a system’s initial boot processes — the software loaded directly by the system even before Windows starts — haven’t been tampered with.
They’re used by Secure Boot, a standard platform incorporated into the firmware of all modern Windows systems and enabled or disabled by the Unified Extensible Firmware Interface, which is enabled by default. A mismatch doesn’t necessarily mean that malicious code is being loaded or executed — just that the system can’t rule it out.
When is this happening?
Certificates will begin expiring in June 2026 and continuing through October 2026.
Which versions of Windows does this apply to?
Generally, this will apply to all versions of Windows 10 1607 or later and Windows 11. (You can find detailed lists on Microsoft’s site.) But to receive the certificate updates for Windows 10, you need to have enrolled in the Extended Security Updates program.
What do I need to do?
Probably nothing. In a lot of cases, they’re probably already current: Windows will have automatically updated them as long as Secure Boot is enabled, and automated updates are slated to continue through the year.
Still, you may want to verify by checking the current version.
Unlike the unstoppable virus definition updates, though, the certificates are part of the normal, pauseable update process. They’re BIOS updates. How to find the current versions differs, so you may have to do some poking around.
But the updates began rolling out in 2024, so if you have a recent version of the BIOS, which is much easier to check, you should be okay. (Paste msinfo32 into the search field of the Windows start menu, and the BIOS date is listed, for instance.)
If you’ve been adjusting settings to reduce the update frequency, you should make sure you haven’t somehow managed to skip them. If Secure Boot has been disabled, it might not have updated them, either.
If you’ve got a system that you haven’t turned on in a while, it’s probably worth booting and making it current just to avoid future problems.
What if they’re not current?
After ensuring Secure Boot is enabled and running Windows update, if they’re still not correct, then you’ll probably need to find instructions for your particular computer or motherboard (if you’ve built your own). Microsoft provides links for a handful of manufacturers.
What happens if I don’t update?
Expired certificates will definitely prevent Windows from keeping boot-time security features and databases current, which may open your system up to vulnerabilities. But the certificates only verify and identify that code that doesn’t match what it expects to see.
They don’t prevent code from loading or executing. Rather, other layers of software determine how to respond. The response can be anything from merely triggering a notification in Event Viewer to potentially interfering with the way software runs (such as Windows’ BitLocker disk encryption), which is dictated by what’s installed on your system and which Windows features are enabled.
An enterprise-managed laptop, for example, tends to have multiple layers of security, which may prevent you from doing almost anything, while a personal system may just give a metaphorical shrug. And if Secure Boot is disabled, nothing should be affected.
Read the full article here