Microsoft is initiating a large-scale update of Secure Boot certificates across millions of Windows PCs worldwide. This proactive measure is designed to replace aging certificates that are set to expire by June 2026, ensuring continued system security and compatibility. The update is part of a broad industry collaboration involving OEMs and firmware manufacturers.
Key Takeaways
- Certificate Expiration: Original Secure Boot certificates, introduced in 2011, expire in June 2026.
- Security Impact: Failure to update can lead to a “degraded security state,” making PCs vulnerable to boot-level threats and potential compatibility issues with future hardware and software.
- Rollout Strategy: The update is being deployed gradually through Windows updates, with newer devices (2024-2025 models) already equipped with updated certificates.
- User Action: Most users will receive the update automatically, but some devices may require manual firmware or BIOS updates from manufacturers.
The Importance of Secure Boot
Secure Boot is a critical security feature integrated into the Unified Extensible Firmware Interface (UEFI) of Windows PCs. Its primary function is to ensure that only verified, digitally signed software is allowed to run during the system’s boot-up sequence. This process acts as a first line of defense against sophisticated malware that attempts to compromise the system before the operating system even loads.
Why the Refresh is Necessary
The original Secure Boot certificates, implemented around 2011, have a planned lifecycle and are approaching their expiration date in late June 2026. To maintain robust security, these certificates must be refreshed periodically. This industry-wide effort ensures that the root of trust remains strong and aligned with modern security standards, preventing older credentials from becoming a vulnerability.
The Update Process and User Impact
Microsoft has begun distributing new certificates through regular Windows updates for most users. Devices manufactured in 2024 and particularly 2025 are likely to already have the updated certificates. For older systems, the rollout is phased, and while many will receive the update automatically, a “fraction of devices” might necessitate manual intervention, such as updating the system’s BIOS or firmware. Users are advised to check their Original Equipment Manufacturer’s (OEM) support pages for the latest firmware updates.
Consequences of Not Updating
PCs that do not receive the new Secure Boot certificates before the old ones expire will enter a “degraded security state.” While the system will continue to function normally, it will be more susceptible to new boot-level security vulnerabilities and may face compatibility problems with future hardware, software, and firmware that rely on Secure Boot. Unsupported versions of Windows, like Windows 10 after its end-of-support date in October 2025, will not receive these updates unless enrolled in specific extended security programs.
Industry Collaboration
This initiative represents a significant coordinated effort across the Windows ecosystem. Microsoft is working closely with numerous OEMs and firmware providers to ensure a smooth transition. Companies like Dell, HP, and Lenovo have confirmed their collaboration to provide necessary firmware updates and support to their customers, emphasizing a shared commitment to security and minimizing disruption.
Via Windows Blog
