Renewed Secure Boot certificates will be rolled out to Windows systems starting in June, as the old certificates are reaching the end of their lifecycle, Microsoft announced on Tuesday.
Since 2011, Secure Boot has been providing protections against sophisticated threats by ensuring that only trusted, digitally signed software is executed from the moment the device is powered on, even before Windows starts.
It relies on digital certificates that are stored in the device’s firmware, and the current certificates, which have been in service for more than a decade and a half, will begin to expire in June, the tech giant explains.
In line with industry best practices, the old certificates will be retired, and new ones will be rolled out to all supported Windows iterations, via automatic updates.
To prepare for this change, Microsoft has been working with firmware providers to add servicing capabilities and tools ensuring a gradual deployment and safe certificate updates.
“OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025 already include the certificates and require no action from customers,” Microsoft explains.
According to the tech giant, most users and businesses that have enabled automatic updates will receive the new certificates through the regular Windows update process, while specialized systems, such as certain server or IoT devices, will require a different update process.
“For a fraction of devices, a separate firmware update from the device manufacturer may be required before the system can apply the new Secure Boot certificates delivered via Windows Update. To prepare, we recommend that customers check their OEM support pages to ensure they have the latest firmware updates,” Microsoft notes.
Systems that will not receive the refreshed Secure Boot certificates before the old ones expire will continue to work normally but may not receive future boot-level protections, the tech giant says.
“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot–dependent software may fail to load,” it explains.
Systems running Windows 10 and older OS versions are no longer supported and will not receive the new certificates, unless they have been enrolled in Extended Security Updates, Microsoft points out.
Organizations are encouraged to evaluate their systems as part of deployment planning, ensure that systems are validated for updates, and implement certificate monitoring tools. They should also ensure that devices are running the latest available Windows updates and firmware versions.
“We’re rolling out these new certificates in collaboration with our ecosystem partners in a careful, phased approach informed by broad testing, staged data-based rollout and coordination with device manufacturers. Even so, given the diversity of device models, firmware versions and usage scenarios, a limited number of devices may require additional support during the update process,” Microsoft notes.
Related: 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates
Related: Microsoft Moves Closer to Disabling NTLM
Related: Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks
Related: Microsoft Names New Operating CISOs in Strategic Move to Strengthen Cyberdefense
