Following nearly 15 years of continuous use, the original cryptographic certificates supporting Windows Secure Boot are being replaced, in what Microsoft describes as one of the largest coordinated security maintenance efforts in the Windows ecosystem.
Launched alongside Windows 8, Secure Boot was designed to prevent unauthorized code from loading during system startup. The foundational encryption certificates that have anchored the trust chain since inception are scheduled to reach end-of-life in June 2026.
Nuno Costa, a program manager in Microsoft’s Windows Servicing and Delivery division, detailed the upcoming changes in an official Windows blog post. The retirement follows standard industry practice around cryptographic credential management.
“As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection,” Costa wrote. “Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.”
Microsoft issued updated Secure Boot certificates in 2023, yet the original certificates, dating back to 2011, have continued validating the boot process across several Windows generations. The company is now working closely with hardware makers and OEM partners to roll out firmware updates to millions of devices worldwide.
The complexity comes from Secure Boot’s place in the system stack. As part of the UEFI framework that governs PC initialization, firmware updates must be coordinated carefully to prevent boot issues.
Deployment of the new certificates will occur across several distribution channels. OEMs will push UEFI firmware updates to compatible motherboards, while supported Windows installations will ingest the certificates through Windows Update in conjunction with monthly security patch cycles.
Enterprise organizations retain flexibility in the transition, with Microsoft supporting customization through preferred management tools for business environments.
Automatic certificate delivery through Windows Update will be limited to systems still covered by Microsoft support. That includes Windows 11 devices and Windows 10 machines enrolled in the Extended Security Updates program. PCs outside those boundaries will not receive the new certificates, raising the prospect of a widening security gap across the installed base.
Costa stressed that systems still relying on the expiring 2011 certificates will not abruptly fail to boot. Over time, however, their security protections will weaken in a measurable way.
“A device still using the 2011 certificates should continue to boot as expected,” Costa noted. However, he warned that such PCs would operate in a “degraded” security state that may preclude them from receiving future firmware-level protections.
“As new boot-level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations,” Costa said. “Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot-dependent software may fail to load.”
Dell has published guidance for users seeking to verify whether newer Secure Boot certificates are available for their specific systems.
Systems that do not rely on Secure Boot are expected to continue functioning as usual after the certificates expire. Still, Secure Boot has taken on a broader role in the modern Windows security model.
Over the years, the protocol has faced high-profile security issues, including the PKfail vulnerability, which revealed flaws in the certificate supply chain. Even so, Secure Boot adoption has broadened, especially in online gaming, where a growing number of titles and MOBAs now require it. That shift has left some Linux users and owners of older yet still capable gaming hardware at a disadvantage.
However, Microsoft has described the certificate refresh as routine preventative maintenance, not a reaction to any immediate threat.
Maybe you would like other interesting articles?