Windows Secure Boot Certificates Expire in 2026, Microsoft Warns of Update Risks

The first batch of Windows Secure Boot certificates, issued in 2011, is set to expire in June 2026. Now, Microsoft is warning users about the consequences.

While Secure Boot has long been a requirement for Windows 11, expired certificates could prevent systems from installing critical updates, leaving them exposed to BootKits and other malware threats.

According to Microsoft’s updated FAQ, the expiring certificates affect any device still relying on the original 2011 set. For most Windows 11 and supported Windows 10 PCs, the renewal process will happen automatically via Windows Update.

However, users running Windows 10 beyond its October 14, 2025 end of support will need to enroll in the Extended Security Updates program to continue receiving new certificates.

The issue becomes even more critical when dealing with firmware resets. Some users could find their PCs refusing to boot if the system defaults back to an older boot manager without the 2023 Secure Boot certificate.

Microsoft explains in its support document that recovery steps are available, but they require applying the updated certificate manually using a recovery USB.