FAQ: What you need to know about expiring Windows Secure Boot certificates
Microsoft is preparing to make a significant change to the Secure Boot system in Windows that will impact operations for both clients and servers.
In a nutshell: The Secure Boot certificates that Microsoft issued 15 years ago are being replaced by newer ones, with the older certificates set to expire beginning in June. To continue to receive the most up-to-date security protections for the Windows boot-up process, individual users and IT administrators alike need to make sure their Windows devices have the new Secure Boot certificates installed.
Have questions? Of course you do. Here are answers to eight key questions about the Secure Boot certificate updates.
What is Secure Boot?
Secure Boot is a security feature that verifies that all firmware-based software is signed by a trusted certificate when Windows starts up. If something doesn’t match, it gets blocked. This all happens immediately on boot, before Windows or anything else loads.
Secure Boot is a part of the UEFI firmware standard, which replaced the older BIOS model for modern PCs. It was added to UEFI in 2011 so that only trusted, signed code could run during startup.
Microsoft issued its original Secure Boot certificates in 2011 and introduced Secure Boot as an optional feature in Windows 8. It remained optional in Windows 10, since UEFI had not had much time to penetrate the market when Windows 10 was released in 2015. But Secure Boot became mandatory in Windows 11. Windows 11 came out in 2021, giving UEFI-powered systems plenty of time to saturate the marketplace.
What’s happening with Windows Secure Boot certificates?
To keep up with emerging threats, Microsoft in 2023 issued new Secure Boot certificates to replace the 2011 versions. Those began rolling out on Windows devices in 2024, and according to Microsoft, nearly all devices shipped in 2025 and later already include the 2023 certificates.
However, most older devices with Secure Boot enabled (those manufactured from 2012 to 2024) have been relying on the 2011 certificates — and those certificates begin expiring in June.
There are three Windows Secure Boot certificates expiring this year:
Microsoft Corp. KEK CA 2011: authorizes changes to the Secure Boot database
Microsoft UEFI CA 2011: signs third-party drivers to allow hardware components to load its firmware during boot
Microsoft Windows Production PCA 2011: signs the Windows bootloader itself, the core piece of software that loads Windows from your hard drive into memory
The first two certificates will expire on June 27; the third will expire on October 19.
For devices that didn’t ship with the 2023 certificates pre-installed, Microsoft is now rolling out those new certificates via Windows Update.
What happens to devices that don’t have the updated certificates after the old ones expire?
Lacking the new certificates, your PC keeps working and you’ll still receive regular Windows updates, but the computer loses the ability to receive security updates for the boot process. New protections for Windows Boot Manager won’t install. Updates to the Secure Boot database won’t apply. Revocation lists that block known malicious software won’t update. Your system is essentially defenseless against emerging boot-level threats.
Over time, not having the current certificates may also lead to compatibility issues with newer operating systems, firmware, hardware, or Secure Boot–dependent software.
How are Secure Boot certificates updated?
For most devices that have Windows updates managed by Microsoft (this includes consumer devices and some business and education devices), the new certificates will be installed automatically via Windows Update as part of the regular monthly update process, with no additional action required. Microsoft has been gradually rolling out the new certificates since June 2025, so your device may have them already.
Some devices may require a separate firmware update from the device manufacturer before the system can apply the new Secure Boot certificates. That’s because the new certificates need to be written into your motherboard’s UEFI databases that Secure Boot uses during the boot process. HP, Dell, Lenovo, and other major PC manufacturers have been releasing BIOS updates specifically to ensure their systems can properly accept the new certificates.
Microsoft recommends that customers check their Original Equipment Manufacturer (OEM) support pages for any applicable firmware updates and install them where needed. Microsoft maintains a list of OEM support pages for Secure Boot update readiness.
Devices managed by organizations may follow different update processes and typically require IT administrator action. Microsoft has a comprehensive “Secure Boot Certificate updates: Guidance for IT professionals and organizations” mini-site that covers verifying Secure Boot status, preparation, firmware considerations, deployment options (including automated deployment), monitoring and remediation, troubleshooting, and more.
Which devices will get the updated certificates automatically?
Only devices running Windows versions currently supported by Microsoft will get the updated Secure Boot certificates:
Windows 11 24H2, 25H2, and 26H1 (all editions); Windows 11 23H2 enterprise/education editions; and Windows 11 Long-Term Servicing Channel (LTSC) 2024 editions
Windows 10 22H2 devices enrolled in the Extended Security Updates (ESU) program; and Windows 10 LTSB/LTSC 2016, 2019, and 2021 editions until their LTSC end-of-support dates
Windows Server 2019, 2022, and 2025: covered with separate guidance in the Secure Boot Playbook for Windows Server
Out-of-support Windows versions will not receive the new certificates.
As noted above, Microsoft-managed Windows client devices will have the new Secure Boot certificates delivered automatically through Windows Update. The new certificates will not be delivered automatically in IT-managed environments.
How do I know if the new Secure Boot certificates have been installed?
Individuals and business/education users with Microsoft-managed updates can check Windows Security > Device security > Secure Boot. Here you’ll find badges and status messages indicating whether your device is fully updated and if you need to take action. See Microsoft’s “Secure Boot certificate update status in the Windows Security app” support page for details.
What else should I know about the Secure Boot certificate updates?
Because Secure Boot is rooted in platform firmware, some environments may require additional steps. This can include specialized hardware configurations, certain virtualized environments where the platform provider manages firmware behavior, or devices that depend on OEM support. Microsoft is working closely with hardware and platform partners to ensure broad compatibility and a smooth transition.
With the April 2026 Windows security update and upcoming monthly updates, some devices may experience one additional reboot during installation. This is the one-time restart that applies the new Boot Manager after the certificates have been written to firmware — it is expected and documented.
What resources are available for help deploying and troubleshooting the new Secure Boot certificates?
aka.ms/getsecureboot: the canonical hub that Microsoft is keeping current with all information and guidance around Secure Boot certificate updates
Windows devices for home users, businesses, and schools with Microsoft-managed updates: includes a troubleshooting section for problems with BitLocker recovery or a device that won’t start up after installing the new certificates
Secure Boot Playbook for Windows client and Secure Boot Playbook for Windows Server: these guides walk IT admins through the entire planning and deployment process in self-managed environments
Secure Boot troubleshooting guide: for IT admins
Secure Boot status report in Windows Autopatch: service provided to Autopatch customers for fleet-scale monitoring at no additional costFAQ: What you need to know about expiring Windows Secure Boot certificates – ComputerworldRead More