Best before June: Microsoft urges Secure Boot certificate updates
Microsoft is killing off the Secure Boot certificates update from 2011. What does this mean for users?
-
Secure Boot certificates from 2011 expire in June 2026, requiring users to install updated certificates on their devices to maintain security protections.
-
Users can verify if their device has the updated certificates in the Windows Security app.
-
Windows 10 devices not in ESU won’t get the new Secure Boot certificates.
-
Skipping the update leaves boot-level security outdated and more vulnerable.
The old Secure Boot certificates will expire in June 2026, so consumers need to install new certificates on their devices by this date.
The update is required to “ensure Windows devices continue to verify trusted boot software,” the company states.
Microsoft also notes that while these devices will continue working normally and receive standard updates, they will no longer be able to get new security protections related to the early boot process.
The new version includes “updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.”
How to check if Secure Boot is updated?
Devices that are a few years old are most likely already running the updated certificates.
If you own an older computer, you can check whether your device is running the updated Secure Boot keys (introduced in 2023) by opening the Windows Security app.
Find “Device security,” where you can check the Secure Boot status.
The green status means that the updated certificates are active, while yellow and red indicate that a certificate update is needed or has failed.
The new certificate updates were already automatically released to support Windows 11 and active Windows 10 devices in Microsoft’s extended security update (ESU) program starting April, 2026.
After the system update in April, it was noticed that some devices “might experience one additional restart during installation.”
“This one‑time restart occurs after a Secure Boot certificate update is applied as part of the Secure Boot update process,” notes Microsoft.
The company also warns that the Secure Boot update applies to Windows 11 devices with eligible security updates, Forbes reports.
This means that owners of devices still running Windows 10 will not receive these updates unless they’re enrolled in Microsoft’s ESU program.
Strong password generator
What happens if you don’t update Secure Boot in 2026?
Skipping or avoiding the update won’t have an immediate impact on the device, as it will still receive regular software updates.
However, missing Secure Boot updates will leave the device’s security protections outdated, increasing the risk of device compatibility or boot-trust issues.
The 2026 Secure Boot update is needed because it replaces the old, expired certificates with new ones, enabling it to recognize newer security threats and block compromised bootloaders.
Unlock more exclusive Cybernews content on YouTube.
