Microsoft is warning Windows users and computer administrators of than the original certificates Secure Boot issued in 2011 begin to expire in June 2026, with additional expirations extending through October 2026. The company says it has already started updating affected systems with a new set of 2023 certificates, delivered through regular Windows updates for many devices.
The notice appears in Microsoft’s January 13, 2026 Patch Tuesday release notes for Windows 11 (KB5074109) in the “Windows Secure Boot Certificate Expiration” section, where Microsoft mentions the start date of June 2026 and points users to a preparation guide.
On February 10, 2026, Microsoft also published KB5079373 (“When Secure Boot certificates expire on Windows devices”), which summarizes what expiration means and reiterates that most devices should be updated automatically, while some may require OEM firmware updates.
What changes when 2011 certificates begin to expire
Microsoft says that devices that reach their expiration date should continue to boot normally and continue to receive standard Windows updates. The key difference is that systems that do not have the latest certificates will no longer be able to receive the new protections for the early boot process including updates related to the Windows Boot Manager, Secure Boot databases, revocation lists, and fixes for recently discovered boot chain vulnerabilities.
In his further explanation of the certificate Secure Boot (KB5062710), Microsoft similarly warns that while everyday use may appear unchanged, affected machines become progressively less protected over time as new boot-level threats emerge.
Which certificates expire and what replaces them
In the Microsoft IT guide https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2fThe company lists three Microsoft-provided Secure Boot certificates that have been in use since the Windows 8/Windows Server 2012 era, and says they start to expire starting in June 2026 and would expire in October 2026.
Microsoft is moving devices to 2023 certification authorities, including new entries used to sign Secure Boot database updates and Windows boot components, and notes that some environments may require the addition of separate 2023 certificates depending on what a device needs to trust (for example, trust related to option ROM).
What users and organizations should do now
For most consumer PCs, Microsoft says replacement certificates should arrive via Microsoft-managed updates, but warns that some systems may require an OEM firmware update for the new certificates to be applied correctly. Microsoft also advises against disabling Secure Boot as a workaround.
For managed fleets, Microsoft’s guidance and playbook outline ways to inventory, monitor, and deploy changes (including Intune, Group Policy, and registry-based methods) before the June 2026 deadline.
Third party reports About the rollout notes that Microsoft is treating this as a “generational update” to the boot chain of trust, with updates now being delivered through the regular Windows service for devices in support.
date: 2026-02-11 00:09:00