Microsoft sets 2026 deadline for Secure Boot certificate expiration

Microsoft is warning Windows users and IT admins that the original Secure Boot certificates issued in 2011 begin expiring in June 2026, with additional expirations stretching into October 2026. The company says it has already started updating affected systems with a new set of 2023 certificates, delivered through regular Windows updates for many devices.

The notice appears in Microsoft’s January 13, 2026, Patch Tuesday release notes for Windows 11 (KB5074109) under “Windows Secure Boot certificate expiration,” where Microsoft calls out the June 2026 start date and points users to preparation guidance.

On February 10, 2026, Microsoft also published KB5079373 (“When Secure Boot certificates expire on Windows devices”), summarizing what the expiration means and reiterating that most devices should be updated automatically, while some may require OEM firmware updates.

What changes when the 2011 certificates start expiring

Microsoft says devices that reach the expiration date should still boot normally and continue receiving standard Windows updates. The key difference is that systems missing the newer certificates will no longer be able to receive new protections for the early boot process, including updates tied to Windows Boot Manager, Secure Boot databases, revocation lists, and fixes for newly discovered boot-chain vulnerabilities.

In its broader Secure Boot certificate explainer (KB5062710), Microsoft similarly warns that while day-to-day use may look unchanged, impacted machines become progressively less protected over time as new boot-level threats emerge.

Which certificates are expiring, and what replaces them

In Microsoft’s IT guidance, the company lists three Microsoft-provided Secure Boot certificates that have been in use since the Windows 8 / Windows Server 2012 era, and says they begin expiring starting in June 2026 and would expire by October 2026.

Microsoft is moving devices to 2023 certificate authorities, including new entries used for signing Secure Boot database updates and Windows boot components, and notes that some environments may require adding separate 2023 certificates depending on what a device needs to trust (for example, Option ROM-related trust).

What users and organizations should do now

For most consumer PCs, Microsoft says the replacement certificates should arrive through Microsoft-managed updates, but it cautions that some systems may require an OEM firmware update for the new certificates to apply correctly. Microsoft also advises against disabling Secure Boot as a workaround.

For managed fleets, Microsoft’s guidance and playbook outline ways to inventory, monitor, and deploy the changes (including Intune, Group Policy, and registry-based methods) ahead of the June 2026 deadline.

Third-party reporting on the rollout notes Microsoft is treating this as a “generational refresh” of the boot trust chain, with updates now being delivered through regular Windows servicing for in-support devices.