Refreshing the root of trust: industry collaboration on Secure Boot certificate updates

Secure Boot is a foundational security feature of the Windows and Windows Server experience, providing protection from the moment a device powers on. Introduced in 2011, Secure Boot runs at startup – before Windows loads – and helps ensure only trusted, digitally signed software can execute. By blocking untrusted code at the earliest stage of the boot process, Secure Boot helps defend against sophisticated threats that can be difficult to detect later.

This trust is enforced through certificates stored in a PC’s firmware. After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle and begin expiring in late June 2026.

As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection. Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.

We’ve begun rolling out new certificates as part of the regular monthly Windows updates to in-support Windows devices for home users, businesses and schools with Microsoft-managed updates. Organizations also have the option to manage the update process themselves using their preferred management tools.

Microsoft and device ecosystem preparation​

Refreshing new certificates represents one of the largest coordinated security maintenance efforts across the Windows ecosystem, spanning Windows servicing, firmware updates and millions of unique device configurations delivered by hardware manufacturers, or original equipment manufacturers (OEMs), worldwide. Because Secure Boot operates at the firmware level and affects how a PC starts, these changes have required careful preparation to help minimize disruptions while maintaining security and device reliability at scale.

This work included close collaboration with device manufacturers and firmware providers responsible for the Unified Extensible Firmware Interface (UEFI) on a standards-based approach. This effort also included adding servicing capabilities and tools to enable gradual, monitored deployment, as well as firmware improvements to help ensure certificate updates can be applied safely.

Our ecosystem partners play a critical role in the transition to the new Secure Boot certificates. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates and require no action from customers. OEM partners have also worked closely with our engineering teams to ensure that in‑market devices can apply the updates seamlessly and have provided their own guidance to help customers prepare for the transition. Here are some insights from our OEMs that provide further perspective:

“Security is integral to everything we build at Dell Technologies, and Secure Boot safeguards are critical to maintaining device trust. We collaborated early with Microsoft’s engineering teams to prepare a smooth transition process for our customers. We planned for real‑world needs – from tightly managed fleets in regulated industries to resilient systems at the edge – so customers across use cases have a clear migration path. This complex, large‑scale effort provides organizations with a well-supported Secure Boot transition that strengthens device security.” – Rick Martinez, Dell Fellow and Vice President, CTO Security, Dell Technologies.

“HP is working closely with Microsoft to ensure firmware updates are available so that all supported HP PCs running Windows 11 can adopt the new Secure Boot certificates before legacy certificates expire. We are also working closely with our customers to ensure that their business operations are not impacted and they are prepared with the right level of validation and controls. Our collaboration supports continued trust, minimizes disruption and reinforces our joint focus on security.” – Vali Ali, HP Fellow and Chief Technologist, Security and Privacy, HP Inc.

“Preparing for the Secure Boot certificate expiration has been a coordinated effort between Lenovo and Microsoft across multiple teams. By working closely throughout the planning, testing and rollout phases, we’re helping ensure customers stay protected, informed and supported – without interruption to their business.” – Tom Butler, VP Worldwide Commercial Portfolio and Product Management, Lenovo PC.

What happens when the certificates expire? ​

If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.

As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot–dependent software may fail to load.

It’s important to note that devices running unsupported versions (Windows 10 and older, excluding those who have enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates. We continue to encourage customers to always use a supported version of Windows for best performance and protection. For more information, see Windows 11 Specs and System Requirements | Microsoft Windows and Windows 10 support has ended on October 14, 2025 – Microsoft Support.

What actions do users need to take?​

For most individuals and businesses that allow Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, with no additional action required. Some specialized systems such as certain server or IoT devices may follow different update processes and should be evaluated as a part of deployment planning. For a fraction of devices, a separate firmware update from the device manufacturer may be required before the system can apply the new Secure Boot certificates delivered via Windows Update. To prepare, we recommend that customers check their OEM support pages to ensure they have the latest firmware updates.

In the coming months, messages about the certificate update status will be available in the Windows Security App to help consumers track the certificate updates more closely. For more details, see Windows devices for home users, businesses and schools with Microsoft-managed updates.

For organizations, the new certificates are delivered through the regular monthly Windows updates where devices provide sufficient diagnostic data to validate readiness.

In scenarios where devices cannot be confidently validated through this approach, organizations should plan to deploy and monitor the new certificates using the IT administrator playbook and their existing management tools.

What is next and support ​

We’re rolling out these new certificates in collaboration with our ecosystem partners in a careful, phased approach informed by broad testing, staged data-based rollout and coordination with device manufacturers. Even so, given the diversity of device models, firmware versions and usage scenarios, a limited number of devices may require additional support during the update process.

If individuals or organizations encounter an issue, help is available. Here are the first steps to take should you run into an issue:

• Ensure devices are running the latest monthly Windows updates.
• Check that the latest firmware version is installed by checking your OEM’s support page.
• If these don’t work, contact support:
  • Device owners using Windows Personal and Family accounts can leverage online support channels and phone numbers.
  • Enterprise customers can rely on Microsoft’s existing IT support channels and documentation to help ensure a smooth update. For authoritative documentation and the latest guidance, visit Windows Secure Boot certificate expiration and CA updates - Microsoft Support.

Microsoft and device manufacturers have prepared both consumer and commercial support teams with specific guidance related to Secure Boot certificate updates and are ready to assist customers.

A secure foundation for the future​

The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup. By renewing these certificates, the Windows ecosystem is ensuring that future innovations in hardware, firmware and operating systems can continue to build on a secure, industry-aligned boot process.

Security at this level is not a one‑time event, but an ongoing responsibility shared across Microsoft and the broader PC ecosystem. Throughout this effort, we’ve appreciated the collaboration from device manufacturers and firmware partners to support an efficient and safe deployment. That collaboration has focused on proactive planning, transparency and providing the visibility, tools and guidance customers need to navigate the transition with confidence.

With this update underway, customers can expect Secure Boot to remain a reliable and resilient security foundation for Windows devices, supporting both today’s systems and the next generation of PCs.

• To learn more about Secure Boot and actions you can take as an IT pro to prepare, visit the Secure Boot Playbook at https://aka.ms/SecureBootPlaybook.
• For additional support resources, visit https://aka.ms/GetSecureBoot.