Windows Secure Boot Digital Certificates Expire Soon: 5 Details To Know

The original Secure Boot certificates are reaching the end of their planned life cycle and begin expiring in late June 2026.

Secure Boot, the Windows feature introduced in 2011, helps protect Windows clients and servers by only allowing digitally signed, trusted software to load during boot-up.

The trust is established through certificates stored in the machine’s firmware. Now the original Secure Boot certificates are reaching the end of their planned life cycle and begin expiring in late June 2026, Microsoft said in a blog post this week.

“Microsoft’s 2026 Secure Boot update creates a critical vulnerability for devices holding expired firmware certificates. While modern devices will update automatically, legacy systems running obsolete operating systems will not, leaving them exposed to boot-level attacks like bootkits, rootkits and unauthorized code execution,” Kalyan Arety, director at SecureW2, said in an emailed comment to MES Computing.

“Organizations must immediately audit their fleet/devices—leveraging MDM or EDR solutions—to identify these non-compliant endpoints. If these devices cannot be manually patched to support the new keys, they must be aggressively segmented from the corporate network to prevent them from becoming a persistent foothold for attackers,” Arety further advised.

In addition to managing expiring Secure Boot certificates, midmarket IT will have to contend with shortened TLS/SSL digital certificate life cycles this year after the CA/Browser (CA/B) Forum reduced the maximum validity of TLS/SSL certificates beginning March 14.

5 Details For Midmarket IT Leaders On Expiring Windows Secure Boot Certificates

Many newer PCs built since 2024 and almost all Windows devices shipped in 2025 already include the certificates and require no action from customers. Check with your vendor or solution provider.

Devices running unsupported versions (Windows 10 and older, excluding ones enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates.

If a device’s certificate expires: “The PC will continue to function normally, and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections,” Microsoft said.

“Some specialized systems such as certain server or IoT devices may follow different update processes and should be evaluated as a part of deployment planning,” Microsoft said.

Ensure devices have the latest firmware version by checking your OEM’s support page (or by working with your solution provider).