Microsoft Begins Rolling Out New Secure Boot Certificates Ahead of 2026 Expiration Deadline

CyberDefender 5 mins0

Microsoft has started rolling out updated Secure Boot certificates via regular monthly Windows updates to replace the original certificates issued in 2011 that are set to expire in late June 2026. This is a proactive platform-wide effort to ensure that Secure Boot remains functional and secure as the older credentials reach end-of-life.

Why It Matters

Secure Boot is a core security component of UEFI (Unified Extensible Firmware Interface) that prevents unauthorized or malicious code (such as rootkits) from loading during the earliest stages of system startup. It does this by validating digital signatures against certificates stored in firmware. If these certificates expire, systems may still boot, but they lose the ability to validate trust anchors and receive future boot-level updates—leading to a degraded security posture.

Certificate Lifecycle and Renewal

  • The existing 2011 Secure Boot certificates have served for over 15 years and are now nearing their planned expiration.
  • Microsoft generated a fresh set of certificates in 2023 to replace them. Many newer PCs already include these updates in firmware out-of-the-box.
  • Older devices that shipped with the 2011 certificates will now start receiving the 2023 certificates automatically as part of Windows Update.

This refresh is described by Microsoft as one of the largest coordinated security maintenance efforts across the Windows ecosystem because it spans millions of device configurations and involves collaboration with OEM firmware partners.

Deployment and Management

Microsoft’s current deployment strategy includes:

  • Automatic installation through monthly Windows updates for devices managed by Microsoft updates.
  • Optional management paths for IT administrators through registry keys, Group Policy, and Windows Configuration System (WinCS), enabling enterprises to control or accelerate certificate installs.
  • Some specialized hardware (e.g., certain servers or OEM systems) might still require separate firmware updates from manufacturers in order to properly register the new certificates in UEFI.

Impact and Risks

  • Devices updated with the new certificates will continue to receive Secure Boot protections, including future signature database (DB) and revocation list (DBX) updates.
  • Devices that do not receive the new certificates before expiration will continue to boot normally but will enter a degraded security state, meaning they can no longer validate new boot components or receive certain boot-level protections.
  • Unsupported systems (notably older Windows 10 devices beyond Extended Security Updates) won’t receive the new certificates at all, effectively losing full Secure Boot integrity once the old ones expire.

Technical Implications for IT and Security Teams

  • It’s important for organizations to inventory UEFI Secure Boot-enabled systems and verify whether the new certificates are applied.
  • Firmware and platform updates may be required on certain systems to fully integrate the new certificates.
  • Unsupported or unmanaged devices that fail to update before the 2026 expiration will stop receiving trust validation for new boot components, which can impair future security mitigations and limit compatibility with new software or hardware.

CyberDefender