Bold statement: Windows Secure Boot certificates from 2011 are expiring soon, and that could bite your system if you don’t take a moment to check and update. Now you might be fine, but a quick update can save you headaches later this year.
Lori Grunin Senior Editor / Advice
I’ve spent years reviewing hardware and software, crafting testing methods, and offering buying guidance. Today I’m immersed in computers and gaming gear, with a long history in cameras. I also volunteer with a cat rescue, handling adoptions, marketing materials, volunteer coordination, and, of course, photographing cats.
Expertise Photography | PCs and laptops | Gaming and gaming accessories
3 min read
In June 2025, Microsoft announced that, starting in June 2026, it would begin deprecating Secure Boot certificates issued in 2011. These older certificates have been superseded by the 2023 updates.
As the deadline approaches, it’s wise to tidy up your setup to avoid potential issues later in the year. If your device is managed by a company or school, system admins will handle this process, which differs from personal computers.
What are these certificates for?
The four certificates (see https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e) verify that the initial boot code loaded before Windows starts has not been tampered with. They’re used by Secure Boot, a standard security feature embedded in modern Windows firmware and enabled by default via UEFI. A mismatch doesn’t automatically mean malware is present, but it does mean the system can’t rule out the possibility.
When is this happening?
These certificates will begin expiring in June 2026 and continue through October 2026.
Which Windows versions are affected?
Broadly, this affects Windows 10 builds from 1607 onward and Windows 11. Detailed lists are available on Microsoft’s site. To receive Windows 10 certificate updates, you must be enrolled in the Extended Security Updates program.
What should you do?
Most users probably don’t need to take action. In many cases, Windows has already updated these certificates automatically, provided Secure Boot is enabled and updates are running. Automatic updates are planned to continue through the year.
If you want to be sure, you can verify your current certificate version. Unlike virus definitions, these updates are part of the routine, pauseable update process—think of them as firmware-related updates. Checking the current versions varies by system, so you may need to dig around a bit.
Updates began rolling out in 2024, so if your BIOS is fairly up to date, you should be fine. For example, you can paste msinfo32 into the Windows Start search and view the BIOS date.
If you’ve adjusted settings to reduce update frequency, ensure you didn’t accidentally skip them. If Secure Boot is disabled, these updates might not apply.
If you haven’t powered on an older machine in a while, it’s a good idea to boot it up and bring it current to prevent future problems.
What if they aren’t current?
If Secure Boot is enabled and Windows Update runs but the certificates still aren’t current, you’ll likely need instructions specific to your computer or motherboard (for custom builds). Microsoft provides links to OEM pages for Secure Boot updates.
What happens if I don’t update?
Expired certificates will definitely limit Windows’ ability to keep boot-time security features and databases current, which could introduce vulnerabilities. However, these certificates don’t automatically block code from loading or executing. Other security layers determine responses, which can range from simple notifications to more disruptive outcomes in certain configurations (for instance, affecting BitLocker or other features), depending on what’s installed and enabled on your system.
Enterprise devices, such as business laptops, tend to have multiple security layers that may restrict user changes, while personal machines may simply show a warning or proceed with limited impact. If Secure Boot is disabled, you may not notice any effect.
VPN
Cybersecurity
Streaming Services
Web Hosting & Websites
Other Services & Software
