Windows 11 and 10 June updates push Secure Boot certificates to more eligible PCs

• Microsoft is expanding the rollout of new Secure Boot certificates through June 2026 security updates.
• Additional device targeting data helps more eligible Windows 11 and 10 PCs receive certificates automatically.
• Key Secure Boot certificates issued in 2011 expire on June 24 and June 27, 2026.
• PCs without the new certificates should continue working, but future Secure Boot protections may eventually require the updated certificates.

Microsoft is using the June 2026 Patch Tuesday updates for Windows 11 and Windows 10 to expand the rollout of new Secure Boot certificates as the first expiration deadlines for the original 2011 certificates approach later this month.

In the release notes for the June 2026 Security Update (including the Security Update for Windows 10), the company says quality updates now include additional high confidence device targeting data designed to increase the number of eligible devices that automatically receive the new Secure Boot certificates.

According to Microsoft, the certificates are only delivered after a device demonstrates sufficient successful update signals, allowing the company to maintain what it describes as a controlled and phased rollout.

The change comes as several Secure Boot certificates originally issued in 2011 are set to expire beginning in late June 2026. Microsoft previously confirmed that the Microsoft Corporation KEK CA 2011 certificate and Microsoft UEFI CA 2011 certificate are reaching the end of their lifecycle on June 24 and June 27, respectively, and are being replaced with new 2023 certificates. The first expirations begin in June, while additional certificates remain valid until October 2026.

Related

How to install the 2023 Secure Boot certificates on Windows 11 (and 10) before the 2026 expiration

June 2026 Secure Boot deadline explained for Windows 11 (and 10) users

Microsoft also added a new notice to the Windows 11 June update support page, reminding users that Secure Boot certificates used by most devices are set to expire starting this month. The company says it has been updating certificates on consumer and unmanaged business computers over the past several months and will continue to deliver the newer certificates through Windows Update in the coming months.

The software giant emphasized that devices that have not yet received the updated certificates will continue to boot and operate normally, and regular Windows updates will continue to install. However, Microsoft previously warned that systems without the newer certificates will eventually be unable to receive future Secure Boot-related protections, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities.

For Windows 10, Microsoft is also introducing dynamic Secure Boot status reporting in the Windows Security app and a new Group Policy setting called LimitSecureBootRequiredServiceData, which allows administrators to suppress Secure Boot service events that would otherwise be sent to Microsoft.

The Security Update for June represents Microsoft’s latest effort to prepare Windows 11 and Windows 10 devices before the original Secure Boot trust chain begins expiring. The majority of the supported systems are expected to receive the replacement certificates automatically through Windows Update, although some older devices may still require firmware updates from their hardware manufacturers before the new certificates can be fully deployed.

If you haven’t already checked your device, now may be a good time to verify that the new Secure Boot certificates are installed before the June 24 and June 27 expiration dates.