Microsoft begins Secure Boot certificate update for Windows devices

Microsoft has begun updating Secure Boot certificates originally issued in 2011 to ensure that Windows devices continue to verify boot software as older certificates reach the end of their lifecycle and begin expiring in June 2026.

How Secure Boot certificate updates work

For most individuals and businesses that allow Microsoft to manage updates, the new certificates will install automatically with monthly Windows updates, requiring no additional action.

For specialized systems, such as servers and IoT devices, organizations should include the update process in deployment planning and validation procedures.

Some device manufacturers may also require a firmware update before the system can apply the new Secure Boot certificates delivered via Windows update.

For devices that are not covered by automatic updates, Microsoft advises organizations to plan deployments and track the new certificates using their chosen management tools and administrative processes.

“Refreshing new certificates represents one of the largest coordinated security maintenance efforts across the Windows ecosystem, spanning Windows servicing, firmware updates and millions of unique device configurations delivered by hardware manufacturers, or original equipment manufacturers (OEMs), worldwide,” Nuno Costa, Microsoft’s Partner Director, Windows Servicing and Delivery, explained.

“Because Secure Boot operates at the firmware level and affects how a PC starts, these changes have required careful preparation to help minimize disruptions while maintaining security and device reliability at scale,” concluded Costa.

Consequences of expired certificates

If a device does not receive the updated certificates before the 2011 versions expire, it enters a degraded security state at startup. The device boots and operates normally in this state.

While in the degraded security state, the device does not receive new boot-level security protections or updates, including fixes for vulnerabilities in the early startup process.

Over time, this may lead to compatibility issues with newer firmware, hardware or Secure Boot-dependent software.

Older versions of Windows that no longer get updates, will not receive the new certificates unless enrolled in Microsoft’s Extended Security Updates program.

Industry collaboration and support

Microsoft is coordinating with device manufacturers and firmware partners to support a phased rollout of the updated certificates suited to various hardware and firmware configurations. Both commercial and customer support teams have guidance available to help customers prepare for the transition.

“HP is working closely with Microsoft to ensure firmware updates are available so that all supported HP PCs running Windows 11 can adopt the new Secure Boot certificates before legacy certificates expire. We are also working closely with our customers to ensure that their business operations are not impacted and they are prepared with the right level of validation and controls. Our collaboration supports continued trust, minimizes disruption and reinforces our joint focus on security,” said Vali Ali, HP Fellow and Chief Technologist, Security and Privacy, HP.