In June 2026, the original Secure Boot certificates, a key component of modern computer security, will officially expire. These certificates have governed hardware authentication within the Windows ecosystem since 2011.
Secure Boot is an industry-standard security feature designed to ensure that only trusted software, approved by the original equipment manufacturer (OEM), is loaded during the computer’s startup process. The system relies on a strict hierarchy of digital keys embedded in the motherboard’s firmware, which verifies the signatures of drivers, EFI applications, and the operating system bootloader against a designated database (DB), while also checking a blacklist of compromised software (DBX).
The initial certificates were integrated into firmware in 2011 with a validity period of 15 years. As this deadline approaches, operating systems must record new certificates, identified as ‘Windows UEFI CA 2023’, in the Unified Extensible Firmware Interface (UEFI) to maintain the chain of trust.
Microsoft engineers have reassured users that computers will not become inoperable if updated certificates are not installed by the June 2026 deadline. However, the security of these systems will begin to deteriorate significantly.
Firstly, critical updates for the bootloader will cease. Microsoft will no longer be able to sign low-level patches with the 2011 key, meaning that computers lacking the 2023 certificates will stop receiving updates for boot files.
Secondly, there will be an increased vulnerability to rootkits, a class of malicious software that gains administrative privileges within the operating system and uses them to conceal its presence and other harmful programs. Devices will be unable to update the DBX databases, leaving them exposed to new malware that targets PCs before the operating system itself is launched.
Additionally, this situation will prevent the installation of future Windows versions, as new installers will require the presence of the updated keys.
The firmware update process will occur automatically through cumulative Windows Update packages and controlled deployments. Users may notice multiple restarts during installation; this is standard behavior necessary for the phased embedding of certificates, their activation in UEFI, and the rebooting of the new bootloader.
Microsoft has confirmed that this process is fully compatible with BitLocker encryption and the Virtual Secure Mode (VSM) environment. There is no need to manually pause disk encryption, as the system will automatically reassign access keys during restarts. However, on older PCs with Legacy BIOS or Secure Boot disabled, updates will be automatically ignored to prevent damage to boot sectors.
To check the status of Secure Boot on their PCs, users can navigate to: Windows Security -> Device Security -> Secure Boot section. The system will display one of three statuses:
- Green checkmark: All certificates have been successfully updated and applied, and the PC is ready for the deadline.
- Yellow exclamation mark: New keys have been delivered to the PC but have not yet been recorded in the firmware (often indicating that the device is awaiting a scheduled reboot).
- Red stop sign: Updates are blocked due to incompatibility or hardware limitations of the motherboard. In this case, the application will provide instructions for correcting the BIOS configuration.
For corporate networks, Microsoft advises against implementing a blanket policy for key updates across all machines without prior testing on select groups of devices, as conflicts may arise from unique motherboard settings from various OEM manufacturers.
The next scheduled update for root security certificates is projected for 2038, when the industry is expected to transition to post-quantum cryptography.
The expiration of Secure Boot certificates in June 2026 poses significant security risks for Windows users who fail to update their systems. Microsoft outlines the implications for bootloader updates and system vulnerabilities, emphasizing the need for proactive measures.