Windows Secure Boot Certificate Update for June 2026

Introduction: why this matters

Secure Boot is one of Windows’ most important boot-time protections, ensuring only trusted, digitally signed components run before the OS loads. That trust is anchored in certificates stored in UEFI firmware—and Microsoft has confirmed the original Secure Boot certificates introduced in 2011 are reaching end of lifecycle and begin expiring in late June 2026. For IT teams, this is a time-bound, ecosystem-wide security maintenance event: if devices miss the certificate refresh, they may continue to boot, but they’ll lose the ability to take future boot-level protections.

What’s new

Secure Boot “root of trust” is being refreshed

• The long-lived Secure Boot certificates are expiring starting late June 2026.
• New certificates are being deployed to in-support Windows devices through the normal monthly Windows update cadence.
• This is a coordinated effort across Windows servicing, OEM firmware, and UEFI providers to minimize risk and disruption.

Broad OEM readiness (especially newer devices)

• Many PCs built since 2024—and nearly all devices shipped in 2025—already include the updated certificates.
• For a smaller subset of in-market devices, applying the new certificates may require an OEM firmware update first.

Improved visibility and phased rollout

• Microsoft is rolling out the change in a careful, staged approach informed by testing and telemetry-based readiness.
• Status messaging about certificate updates is expected in the Windows Security app in the coming months to help users track progress.

Impact to IT administrators and end users

If devices don’t get the new certificates in time

• Devices will likely continue to function and existing software will still run.
• However, they enter a degraded security state and may be unable to receive future boot-level mitigations (e.g., when new boot vulnerabilities are discovered).
• Over time, compatibility risks increase: newer OS/firmware/hardware or Secure Boot–dependent software may fail to load.

Unsupported Windows versions are a key risk

• Devices on unsupported versions (notably Windows 10 after support ended on Oct 14, 2025, unless enrolled in ESU) will not receive the updates through Windows Update.
• Those endpoints should be treated as priority remediation items (upgrade/replace or ensure ESU eligibility and update strategy).

Recommended actions / next steps

1. Inventory and scope
   • Identify all Windows and Windows Server endpoints in scope, including kiosks, specialized servers, and IoT/edge devices that may have atypical servicing.
2. Validate servicing path
   • Confirm devices are receiving the latest monthly cumulative updates (Microsoft-managed where applicable).
   • Ensure diagnostic/telemetry requirements used for readiness validation align with your organization’s policies.
3. Firmware readiness check
   • Proactively review OEM advisories and support pages (Dell/HP/Lenovo and others) and schedule required UEFI/firmware updates.
   • Pilot firmware updates on representative hardware models before broad deployment.
4. Plan for exceptions
   • For devices not confidently validated via Microsoft’s staged approach, use the Microsoft IT administrator playbook guidance and your existing tools (Intune, Configuration Manager, or third-party) to deploy and monitor.
5. Prepare support runbooks
   • First-line steps: apply latest Windows updates, verify latest OEM firmware, then escalate via Microsoft/OEM support channels if issues persist.