Windows Secure Boot Certificates Expire on June 24: What You Need to Know

Microsoft has announced that a critical set of certificates underpinning Windows Secure Boot will expire on June 24, 2026, marking the latest deadline in an ongoing security update cycle that began with the 2011-era certificates. The expiration, confirmed in Microsoft’s official support documentation updated as recently as May 18, 2026, applies to older cryptographic keys used to authenticate firmware and bootloaders in UEFI-based devices—a process designed to prevent pre-boot malware from executing during system startup. Devices relying on these expiring certificates will fail to boot unless updated with the newer 2023 certificate authority (CA) keys, which Microsoft has begun distributing through Windows monthly updates and in collaboration with original equipment manufacturers (OEMs).

The Secure Boot system, introduced in Windows 8 to counter emerging bootkit threats, relies on a chain of trust established through digital signatures verified against stored certificates. As of June 2025, Microsoft had already begun phasing out the 2011-era certificates, with the final expiration date now set for June 24, 2026. The company’s Secure Boot playbook, published in November 2025, explicitly states that organizations must install the 2023 CAs before the older certificates expire. While many Windows PCs manufactured since 2024 already include the updated certificates, legacy devices—particularly those from 2011 to 2023—remain vulnerable unless firmware or OS updates are applied.

Microsoft’s guidance emphasizes proactive measures, urging IT administrators to monitor their device fleets and deploy the necessary updates. The company has provided tools and resources, including a dedicated support section and a troubleshooting guide, to assist organizations in identifying affected devices and applying fixes. The update process varies by manufacturer, with some OEMs releasing firmware patches directly, while others rely on Windows Update to push the new certificates. For enterprise environments, Microsoft recommends testing updates in non-production environments first to avoid disruptions.

Industry analysts and security researchers have noted that the expiration poses a particular risk to older business hardware, where firmware updates may be delayed due to compatibility concerns or IT resource constraints. The Secure Boot system’s reliance on certificate expiration cycles underscores the broader challenge of maintaining long-term security in an ecosystem where hardware and software lifecycles often diverge. While Microsoft has framed the transition as a routine security measure, the stakes are higher for organizations still operating on legacy systems, where the absence of updates could leave devices susceptible to exploitation through unsigned firmware or bootloaders.

The expiration date of June 24, 2026, follows a pattern of regular certificate rotations designed to mitigate the risk of compromised keys being used to sign malicious firmware. Microsoft’s documentation does not specify whether additional extensions or emergency patches will be issued if critical systems remain unupdated, though the company’s historical approach suggests a firm adherence to the scheduled timeline. For now, the focus remains on ensuring that the transition to the 2023 certificates is completed before the deadline, with Microsoft’s support resources serving as the primary channel for organizations seeking guidance.