Microsoft has begun an important operation to refresh Secure Boot certificates in Windows devices to avoid potential security and compatibility issues in mid-to-late 2026. The move is necessary because the original certificates, first issued by Microsoft in 2011 with the introduction of Secure Boot, expire between June and October 2026, meaning that without an update, those certificates would soon become invalid.
Secure Boot is a security feature that is part of most modern Windows computers and prevents unauthorized code from being executed before the operating system is fully loaded. Basically, this technology verifies the digital signatures of software and drivers at the system boot stage, which helps defend against sophisticated threats, such as bootkit or rootkit malware that tries to interfere before Windows even starts.
Microsoft responded to the certificate expiration by issuing a new group of certificates in 2023 that already comes built-in to most new computers, while older devices get these certificates automatically through regular Windows Update updates. Starting with the KB5074109 update for Windows 11, new certificates are regularly distributed through the standard Microsoft update process.
For most users, this process should go smoothly and without any manual intervention. New certificates are installed automatically as their devices regularly download Windows Update updates. However, some specialized computing environments, including server or Internet of Things (IoT) devices, may require special firmware updates from OEMs before new certificates can be properly applied.
What happens if the certificates are not updated? According to Microsoft’s documentation, the computer will still boot and use Windows normally, but will enter a so-called “degraded security state,” meaning it won’t be able to receive new security updates or protections related to the boot phase, including patches for vulnerabilities in the Windows Boot Manager or additional revocation lists with new certificates and signatures.
This can potentially affect compatibility with future software and drivers that expect updated certificates, as well as a scenario where third parties need to sign their code using new CA keys.
Another important consequence is that out-of-support Windows 10 devices must be included in Microsoft’s Extended Security Updates (ESU) program in order to receive the new Secure Boot certificates, which underscores the strategic move to newer versions of the system. +
Essentially, this change represents a generational overhaul of the basic security foundation of the operating system, necessary for security reasons, but also as a precaution to prevent older certificates from becoming the weakest link in the chain of trust of Windows computers.
In the coming months, especially before June 2026, IT administrators and power users are advised to check that their systems are up-to-date and that Windows Update is working properly, to ensure that Secure Boot can continue to fulfill its critical role in protecting the system from the initial boot level, reports The Verge.