Microsoft Restores Secure Boot FAQ Details Ahead of 2026 Certificate Expiration

Microsoft is reminding users that Secure Boot certificates must be updated before 2026, after confusion briefly emerged over missing information in its official support documentation.

The company originally announced in early 2024 that Secure Boot keys used across Windows systems will expire in 2026 after roughly 15 years of use. To prevent disruptions and maintain platform security, Microsoft began distributing updated certificates through Windows Update and warned users to update before the original certificates expire.

Recent updates delivering the new certificates include Windows 11 patches KB5077181 and KB5075941, as well as KB5075912 for Windows 10.

Microsoft restores Secure Boot explanation after FAQ confusion

Microsoft recently published a support article explaining how the Secure Boot certificate update works and what users should expect before the deadline. However, a section describing the consequences of missing the update was temporarily removed from the FAQ.

According to reports from Neowin, that removal caused confusion among administrators and users trying to understand the risks of not installing the new certificates.

Microsoft later restored the information and expanded the explanation. The company also moved the clarification to the first question in the support article to make the guidance easier to find.

Devices will still boot, but security protections may weaken

Microsoft’s updated guidance states that systems without the newer 2023 Secure Boot certificates will continue to boot normally and receive regular Windows updates. However, those devices will gradually lose certain security protections tied to the early boot process.

Without the updated certificates, systems may no longer receive protections related to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations designed to block newly discovered boot-level vulnerabilities.

Over time, this gap could make devices more exposed to advanced threats such as bootkits that target the system startup process.

Microsoft also noted that some security features relying on Secure Boot trust could be affected, including certain BitLocker hardening mechanisms and compatibility with third-party bootloaders.

Updates should arrive automatically through Windows Update

For most users, the new Secure Boot certificates will install automatically through Windows Update before the June 2026 deadline.

In some cases, hardware manufacturers may also distribute firmware updates to support the transition. Microsoft recommends keeping devices fully updated to ensure Secure Boot protections remain active.

The clarification arrives as Microsoft continues rolling out other security improvements across the Windows ecosystem. The company recently refreshed Windows Defender definitions for installation images, ensuring newly installed systems start with up-to-date malware protection.

Together, the Secure Boot certificate transition and updated Defender signatures aim to strengthen Windows security from the earliest stages of system startup.