Microsoft has announced a major security initiative to refresh Secure Boot certificates that were originally introduced in 2011 and are now expiring. The company is rolling out updated certificates to Windows 11 and Windows 10 Extended Security Updates (ESU) users starting in March, marking what has been described as one of the largest coordinated security maintenance efforts across the Windows ecosystem.
Why Secure Boot Certificates Matter
Secure Boot is a critical security feature that runs during system startup, before Windows loads. It uses cryptographic keys to verify that only trusted bootloaders can load on computers with UEFI firmware, helping block malicious software such as rootkits from executing during system startup. The original certificates, deployed over 15 years ago, are reaching the end of their planned lifecycle and will begin expiring in late June 2026.
“As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection,” explained Nuno Costa, Partner Director of Windows Servicing and Delivery, in a recent announcement. “Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.”
What Happens Without the Update
While systems will continue to function normally without the new certificates, Microsoft warns they will enter “a degraded security state” that limits their ability to receive future boot-level protections. This means devices won’t be protected from malware and viruses targeting vulnerabilities in older versions of Windows. As new boot-level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations.
How to Get the New Certificates
Most users will receive updated Secure Boot certificates automatically through regular Windows Update if they allow Microsoft to manage their updates. However, some devices may require additional firmware updates from their system or motherboard’s OEM before the new certificates can be applied.
The rollout timeline varies based on device age:
- Devices manufactured in 2024 and later already have the updated 2023 certificates installed
- Most devices shipped in 2025 already include the new certificates
- Older devices will receive them through monthly Windows updates or may require separate firmware updates from manufacturers
Users will be able to track the status of their security certificates in the Windows Security app in the coming months.
Who Is Eligible for Updates
The new Secure Boot certificates are only coming to Windows 11 systems and Windows 10 PCs subscribed to Microsoft’s Extended Security Updates program. Unsupported versions of Windows, including standard Windows 10, will not receive the new certificates. This continues Microsoft’s push to encourage users to upgrade to Windows 11, which now officially powers more than a billion devices.
Microsoft has been working closely with major OEMs including Dell and HP to ensure a smooth transition to the new Secure Boot certificates. Organizations can also deploy Secure Boot certificates using registry keys, Group Policy settings, and the Windows Configuration System (WinCS) to ensure endpoints maintain Windows Boot Manager and Secure Boot protections.