Windows Secure Boot Certificates From 2011 Will Be Expiring Soon. What You Need to Know

In June 2025, Microsoft announced that in June 2026 it would begin deprecating Secure Boot certificates for Windows systems from 2011, which were replaced by their 2023 counterparts.

As the countdown ticks down, it’s time to do some housekeeping to avoid potential problems later this year. If you have a system managed by your company or school, your system administrators must manage the process, which is different from that for personal computers.

What are certificates used for?

Together, these four certificates verify that a system’s initial boot processes (the software loaded directly by the system before Windows even starts) have not been tampered with.

They are used by Secure Boot, a standard platform built into the firmware of all modern Windows systems and enabled or disabled by the Unified Extensible Firmware Interface, which is enabled by default. An incompatibility does not necessarily mean that malicious code is loaded or executed, just that the system cannot rule it out.

When does this happen?

The certificates will expire in June 2026 and continue until October 2026.

What versions of Windows does this apply to?

Generally, this will apply to all versions of Windows 10 1607 or later and Windows 11. (You can find detailed lists on Microsoft’s site.) But to receive certificate updates for Windows 10, you must be enrolled in Extended Security Updates Program.

What should I do?

Probably nothing. In many cases, they’re probably already up to date: Windows will have automatically updated them as long as Secure Boot is enabled, and automatic updates should continue throughout the year.

Still, you may want to verify by checking the current version.

Unlike unstoppable virus definition updates, certificates are part of the normal update process and can be suspended. These are BIOS updates. The way to find current versions differs, so you may have to do a little digging.

But updates started rolling out in 2024, so if you have a recent BIOS version, which is much easier to check, you should be fine. (Paste msinfo32 into the Windows Start menu search box and the BIOS date will be listed, for example.)

If you have adjusted the settings to reduce the update frequency, you need to make sure that you have not managed to override them. If Secure Boot was disabled, it may not have updated them either.

If you have a system that you haven’t turned on in a while, it’s probably worth booting it up and updating it just to avoid future problems.

What if they are not up to date?

After making sure Secure Boot is enabled and running Windows Update, if they’re still not correct, you’ll probably need to find instructions for your particular computer or motherboard (if you built your own). Microsoft provides links to a handful of manufacturers.

What happens if I don’t update?

Expired certificates will permanently prevent Windows from keeping security features and databases up to date during startup, which can open your system to vulnerabilities. But certificates only check and identify code that isn’t what it expects to see.

They do not prevent the code from loading or executing. Rather, other layers of software determine how to react. The answer can range from simply triggering a notification in Event Viewer to potential interference with software operation (like Windows’ BitLocker disk encryption), which is dictated by what is installed on your system and what Windows features are enabled.

A company-run laptop, for example, tends to have multiple layers of security, which can prevent you from doing almost anything, while a personal system may just metaphorically shrug its shoulders. And if Secure Boot is disabled, nothing should be affected.