Windows Secure Boot Certificates From 2011 Will Soon Expire: What You Need to Know
You might already be prepared, but it's still a good idea to double-check and update if necessary. Here's what you need to know about the upcoming changes and how to ensure your system stays secure.
The Issue at Hand
In June 2025, Microsoft announced a significant update regarding Secure Boot certificates for Windows systems. Starting in June 2026, they will begin deprecating Secure Boot certificates from 2011, which were replaced by their 2023 counterparts. This means that these older certificates will no longer be supported, potentially impacting your system's security.
What are Secure Boot Certificates?
These certificates play a crucial role in verifying the integrity of your system's initial boot processes. They ensure that the software loaded directly by your system, even before Windows starts, hasn't been tampered with. This is achieved through Secure Boot, a standard platform integrated into the firmware of all modern Windows systems. It's enabled by default through the Unified Extensible Firmware Interface (UEFI).
When Will This Happen?
The certificate expiration process will begin in June 2026 and continue through October 2026. It's essential to act now to avoid any potential issues later this year.
Which Windows Versions are Affected?
This update primarily affects Windows 10 version 1607 or later and Windows 11. Microsoft provides detailed lists of affected versions on its support website. However, to receive the certificate updates for Windows 10, you must enroll in the Extended Security Updates program.
What Do You Need to Do?
Most likely, you won't need to take any action. Windows will automatically update these certificates as long as Secure Boot is enabled and automated updates continue throughout the year. Simply ensuring that Secure Boot is enabled and running Windows Update should keep your system up-to-date.
However, if you've been adjusting settings to reduce update frequency or have disabled Secure Boot, you might need to manually check and update the certificates. You can find the current versions by accessing your BIOS settings, which vary depending on your computer model.
Potential Risks of Not Updating
If you don't update your certificates, your system may be vulnerable to security risks. Expired certificates prevent Windows from keeping boot-time security features and databases current, which could leave your system open to potential threats. However, it's important to note that the certificates don't prevent code from loading or executing; other software layers determine the system's response.
Stay Informed and Secure
To stay on top of your system's security, regularly check for updates and ensure that Secure Boot is enabled. If you encounter any issues or need further assistance, consult Microsoft's support resources or seek help from your system administrators.
