Secure Boot Certificates Expire for Windows Devices in 2026

Secure Boot certificates used by Windows devices will begin expiring in 2026, pushing Microsoft to release major security updates across supported systems. The company warned that outdated certificates could weaken trusted boot protections if devices fail to receive the newer updates.

Microsoft has already started rolling out replacement certificates through Windows Update and firmware updates distributed by hardware manufacturers. The transition affects millions of systems because Secure Boot remains a core security feature for modern Windows devices.

Microsoft Is Replacing Older Security Certificates

The current Secure Boot certificates were originally introduced in 2011 during the wider adoption of UEFI-based Windows systems. Those certificates help devices verify trusted software during startup and block unauthorized code before Windows fully loads.

Microsoft confirmed that several important certificates will expire during June and October 2026. To avoid security issues, the company is replacing them with newer certificates created in 2023.

The update is important because Secure Boot plays a major role in defending Windows devices against low-level malware attacks. The feature became mandatory for Windows 11 and remains enabled on most modern PCs by default.

Microsoft stated that systems using outdated certificates could eventually lose access to future boot security improvements and trusted verification updates.

Expired Certificates Could Create Security Risks

Microsoft explained that devices should continue functioning after the certificates expire. However, systems that fail to update may enter what the company described as a degraded security state.

Security researchers warned that expired Secure Boot certificates could weaken protection against rootkits, bootkits, and other advanced malware designed to infect systems before the operating system starts.

Older Windows devices may also experience compatibility problems involving firmware, drivers, anti-cheat systems, and future operating system updates relying on Secure Boot validation.

Unsupported Windows versions could face greater risks because some devices may not receive the replacement certificates automatically. Users still running outdated systems may need manual updates or firmware support from manufacturers.

Most Windows 11 Systems Will Update Automatically

Microsoft stated that most Windows 11 devices should receive the updated Secure Boot certificates automatically through standard Windows Update processes.

Many PCs manufactured during 2024 and 2025 reportedly already include the newer certificates. However, some older systems may still require BIOS or firmware updates provided by OEM partners.

Microsoft also warned users that the update process may trigger multiple restarts or unusual Windows Update behavior. The company said these additional reboots are expected while Secure Boot components are being updated.

The transition will continue gradually as Microsoft works with hardware vendors to expand compatibility before the expiration deadlines arrive.

Users Can Check Their Secure Boot Status

Microsoft recently added easier tools for checking Secure Boot certificate status inside Windows 11. Users can now verify certificate information directly through the Windows Security application.

To review the status, users can open Windows Security, navigate to Device Security, and inspect the Secure Boot section. The interface shows whether the system still relies on older trust certificates.

Advanced users can also verify Secure Boot details through PowerShell commands and firmware settings, although Microsoft expects most consumers to rely on automatic updates instead.

The company recommends installing all pending Windows updates to reduce the risk of certificate-related security issues later in 2026.

Conclusion

Secure Boot certificates approaching expiration in 2026 are forcing Microsoft to refresh one of the core security systems used across modern Windows devices. The updated certificates aim to preserve trusted boot verification and maintain protection against increasingly advanced low-level malware threats.

Most Windows 11 systems should receive the updates automatically, but older devices may require additional firmware support or manual checks before the expiration deadlines arrive.