- Secure Boot certificates introduced in 2011 expire in late June 2026.
- Computers will continue to boot normally after expiration.
- Devices without updated certificates enter a degraded security state.
- Supported Windows 11 and Windows 10 devices receive updates automatically via Windows Update.
- Unsupported systems, including Windows 10 after October 2025 without ESU, will not receive the new certificates.
Microsoft has confirmed that devices with the original Secure Boot certificates introduced in 2011 will begin expiring in late June 2026, triggering a major security update that affects almost every modern computer.
Secure Boot is the security mechanism available in the Unified Extensible Firmware Interface (UEFI) firmware that runs at startup, before the operating system loads. The purpose of this feature is to verify that only trusted, digitally signed code can execute during startup, blocking bootkits and other low-level threats that attempt to compromise a system during boot. For the past 15 years, this process has relied on certificates embedded in device firmware, but those certificates are now reaching the end of their planned lifecycle.
Will your computer stop working in 2026?
The short answer is no. When the original certificates expire, computers will continue to boot, and Windows 11 (or 10) will continue to load normally. Applications will not suddenly fail, and you won’t see an immediate disruption.
However, systems that do not receive the updated Secure Boot certificates will enter a degraded security state
. However, that does not mean the computer is immediately unsafe. It simply means the device will no longer be able to accept future updates to the Secure Boot trust chain.
Over time, as new boot-level vulnerabilities are discovered, those systems may be unable to install new mitigations. The machine continues to run, but its startup protections no longer evolve, and that long-term limitation is the real concern.
Why Microsoft is replacing Secure Boot certificates
Security certificates are not meant to last forever. As security standards evolve, encryption keys and trust anchors must be updated to prevent outdated credentials from becoming vulnerabilities. The expiration of the 2011 Secure Boot certificates was planned from the start.
What makes this transition significant is scale. Secure Boot operates at the firmware level, not just within the operating system itself. Updating it requires coordination between Windows 11 (and 10) servicing, device firmware, and hardware manufacturers across millions of unique device configurations worldwide.
Microsoft describes this as one of the largest coordinated security maintenance efforts across the Windows ecosystem.
How the update is being delivered
The software giant has already begun rolling out the new Secure Boot certificates through regular monthly updates to supported versions, including Windows 11 and 10. For most home users and businesses that allow the company to manage updates, updates should occur automatically in the background.
In some cases, especially on older hardware, a firmware update from the device manufacturer may be required before the new certificates can be successfully applied. Microsoft says it has worked closely with major computer manufacturers (such as Dell, HP, and Lenovo) to prepare devices for the transition.
Almost all devices manufactured since 2024 already include the updated certificates, and nearly all systems shipped in 2025 are provisioned with them out of the box.
What about unsupported Windows versions?
Devices running unsupported versions of the operating system will not receive the new Secure Boot certificates through Windows Update. This includes Windows 10 after its end of support in October 2025, unless the device is enrolled in Extended Security Updates.
Those systems will continue to function after the 2011 certificates expire, but they will remain permanently limited in their ability to receive future boot-level security improvements. As the platform evolves, this may gradually increase exposure to new threats and compatibility issues with newer firmware, hardware, or Windows releases.
What should you do now?
For most people, the safest course of action is straightforward, remember to keep Windows 11 (and 10) fully updated and ensure your device firmware is current by checking your manufacturer’s support page. Microsoft has indicated that additional status information on certificate updates will appear in the Windows Security app in the coming months, providing greater visibility into the process.
You can always check and update the Secure Boot certificate manually using these instructions.
Organizations managing a large number of computers should treat this as a validation and deployment planning exercise rather than a simple Patch Tuesday update.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].