Windows Secure Boot Certificates from 2011 will expire soon. What You Should Know

In June 2025, Microsoft announced that, in June 2026, it will begin withdrawing Secure Boot certificates for Windows systems from 2011, which were replaced by their 2023 counterparts.

As the clock ticks down, it’s time to clean the house to prevent potential problems later this year. If you have a system managed by your company or school, your system administrators must handle the process, which is different than for personal computers.

What are the certificates?

Together, these four certificates ensure that the system’s startup processes — the software that is loaded directly by the system even before Windows starts — have not been tampered with.

They are used by Secure Boot, a common platform included in the firmware of all modern Windows systems and enabled or disabled by the Unified Extensible Firmware Interface, which is enabled by default. A mismatch doesn’t mean that malicious code is being loaded or executed — that the system can’t extract it.

When did this happen?

The certificates will begin to expire in June 2026 and continue until October 2026.

What versions of Windows does this work on?

In general, this will work for all versions of Windows 10 1607 or later and Windows 11. (You can find detailed lists on the Microsoft site.) But to receive Windows 10 certificate updates, you need to register Extended Program for Security Updates.

What should I do?

Maybe nothing. In most cases, it’s probably already up to date: Windows will be updating itself automatically as long as Secure Boot is turned on, and automatic updates are scheduled to continue throughout the year.

However, you may want to verify by checking the current version.

Unlike unblockable virus definition updates, however, certificates are part of a regular, relaxed review process. BIOS updates. How to find current versions varies, so you may need to do something.

But updates started rolling out in 2024, so if you have the latest BIOS version, which is much easier to test, you should be fine. (Paste msinfo32 into the search field of the Windows start menu, and the BIOS date is listed, for example.)

If you have been adjusting the settings to reduce the update frequency, you should be sure that you could not somehow skip it. If Secure Boot is disabled, it may not have been updated, either.

If you have a system that you haven’t opened for a long time, you should restart it and bring it up to date to avoid future problems.

What if they are not current?

After making sure Secure Boot is enabled and running Windows Update, if it isn’t, you’ll probably need to find instructions for your specific computer or motherboard (if you built your own). Microsoft provides links for several manufacturers.

What happens if I don’t update?

Outdated certificates will inevitably prevent Windows from maintaining the current startup and database security features, potentially opening your system to vulnerabilities. But certificates only verify and identify that code that does not match what it expects to see.

They do not prevent code from loading or executing. Instead, other layers of software decide how to respond. The answer can be anything from simply triggering a notification in the Event Viewer to interfering with how software works (such as Windows’ BitLocker disk encryption), dictated by what’s installed on your system and what Windows features are enabled.

A business-owned laptop, for example, often has multiple layers of security, which may prevent you from doing almost anything, while a personal system may provide a symbolic cushion. And if Secure Boot is disabled, nothing should be affected.