Microsoft Refreshes Secure Boot Root of Trust Ahead of 2026 Certificate Expirations

Microsoft has begun refreshing the Secure Boot root of trust across the Windows ecosystem. The move is driven by the upcoming expiration of Secure Boot certificates first issued in 2011, which begin reaching end of life in late June 2026.

Secure Boot is a foundational security feature in Windows and Windows Server. It runs before the operating system loads and ensures that only trusted, digitally signed boot components are allowed to execute. Secure Boot is enforced using cryptographic certificates stored in a device’s UEFI firmware, forming a chain of trust that helps block bootkits, rootkits, and other low‑level attacks.

After more than 15 years, the original Microsoft Secure Boot certificates are being retired in line with standard cryptographic lifecycle practices. Microsoft is replacing them with a new set of certificates issued in 2023, which are designed to align with modern security expectations and ensure the platform can continue to receive future boot‑level protections.

How the rollout of new Secure Boot certificates works

Microsoft has already started deploying the new Secure Boot certificates through regular monthly Windows updates for in‑support versions of Windows used by home users, businesses, and schools with Microsoft‑managed updates. Organizations that manage updates themselves can control the rollout using their existing tools, including Group Policy, registry settings, and enterprise management platforms.

This is not just a Windows update exercise. Because Secure Boot operates at the firmware level, Microsoft has been working closely with OEMs, firmware vendors, and the broader UEFI ecosystem to ensure the transition can be carried out safely at scale. Many devices manufactured since 2024, and almost all systems shipped in 2025, already include the updated certificates and require no action from administrators.

For a small subset of systems, a firmware update from the device manufacturer may be required before the new certificates can be applied. Microsoft is advising organizations to review OEM support guidance and ensure devices are running current firmware.

What happens if systems aren’t updated with the new Secure Boot certificates?

Devices that do not receive the refreshed Secure Boot certificates before the old ones expire will continue to boot normally. However, they will enter a degraded security state. While existing protections remain in place, these systems will no longer be able to receive new Secure Boot mitigations as additional boot‑level vulnerabilities are discovered.

Over time, this can increase exposure to emerging threats and may also introduce compatibility issues with newer operating systems, firmware updates, hardware, or Secure Boot–dependent software.

Unsupported operating systems, including Windows 10 systems that are not enrolled in Extended Security Updates, will not receive the new certificates.

What IT admins should do now

For most organizations, the key action is validation rather than intervention. Ensure that Windows Update or your chosen update management solution is deploying current monthly updates, and confirm that device firmware is up to date, particularly for older hardware or specialized systems such as servers and embedded devices.

Microsoft describes this effort as a necessary refresh of the platform’s root of trust. For IT teams, it’s another reminder that firmware‑level security is no longer a “set it and forget it” component of Windows defense but an active part of the modern patching lifecycle.