Microsoft is issuing new Secure Boot certificates to Windows PC users, as the initial certificates are reaching the end of a planned lifespan after 15 years and are set to expire in June 2026.
The company has been issuing new certificates as part of Windows updates for personal users, businesses, and schools that let Microsoft manage their updates.
Secure Boot is a process that runs at startup, prior to Windows loading, and uses cryptographic keys to verify that only trusted software can run. In a blog post, Nuno Costa, the partner director for Windows servicing and delivery, writes that "Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations."
But if you bought a PC in 2025, you're probably already set. Costa writes that Microsoft has been working with OEM partners, which have been obtaining new certificates since 2024. Machines from OEMs starting from 2024 and "almost all" systems shipped in 2025 already have new Secure Boot certificates. So if you bought one of the best ultrabooks or best gaming laptops, you should be in the clear.
If you let Microsoft to handle your PC updates, your certificates will be installed through the standard Windows update process. Microsoft is also recommending ensuring you have the latest firmware from vendor support pages. Microsoft points out that some servers or IOT devices may have different processes, and that a "fraction of devices" may require firmware updates from manufacturers before new Secure Boot certificates can be applied through Windows Update.
If your certificate expires, your PC should function as expected, though its security will be compromised.
"As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations," Costa writes. “Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load."
Of course, if you're running an unsupported version of Windows, including Windows 10, which ended support in October 2025, you won't get Windows updates, including the new Secure Boot certificates. (That is, with the exception of people and businesses taking part in the Extended Security Updates program).
That also gives Microsoft another chance to encourage its customers to switch to Windows 11, but this time for security's sake: "We continue to encourage customers to always use a supported version of Windows for best performance and protection."
IT professionals have been on top of the certificates for quite some time. Back in November, the Windows IT Pro blog put up a "Secure Boot playbook."
While some recent Windows updates have caused system instability or other issues, you're still better off keeping your system up to date, especially if it's affecting your computer's security for years to come.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
