Secure Boot Certificates Expiration 2026: What Windows Users Need to Know

As June 2026 approaches, Windows users face a critical deadline: the expiration of Secure Boot certificates. Microsoft has been preparing for this moment since 2025, urging organizations and individuals to update their systems to avoid security vulnerabilities. This article outlines the implications of the expiration, steps to mitigate risks, and how Microsoft is addressing the issue.

What Is Secure Boot and Why It Matters

Secure Boot is a security feature introduced with Windows 8 in 2012, designed to ensure that a device boots only using software trusted by the manufacturer. It relies on cryptographic keys, known as certificate authorities (CAs), to validate firmware modules. Over time, these certificates have expiration dates to ensure systems remain protected against evolving threats.

According to Microsoft, Secure Boot certificates issued in 2011 will expire in June 2026. This means devices that haven’t been updated will no longer receive security updates for the boot manager and Secure Boot components, increasing the risk of malware attacks such as bootkits. Microsoft’s blog emphasizes that proactive updates are essential to maintain system integrity.

The Expiration Timeline and Microsoft’s Response

Microsoft has been preparing for this transition since late 2025. The company began distributing new Secure Boot certificates through monthly Windows updates in 2025, with original equipment manufacturers (OEMs) rolling out firmware updates to ensure compatibility. Devices manufactured since 2024 are likely already equipped with the updated 2023 CAs.

For older devices, the process requires user action. Microsoft’s Secure Boot playbook outlines steps to check and update certificates. Users can verify their system’s status by checking the UEFI firmware or running the `msinfo32` command in Windows. A “Secure Boot State” of “Enabled” confirms the feature is active.

Steps to Check and Update Your Secure Boot Certificates