Secure Boot has been around since 2011, quietly doing one very important job: stopping unauthorized or tampered code from sneaking into your PC during the boot process. It's also one of the reasons Windows 11 has stricter hardware requirements — Microsoft wants more devices to have this boot-level protection turned on and working properly.
Now Microsoft is refreshing Secure Boot certificates via Windows updates, because the original 2011-era certificates are reaching the end of their planned lifecycle and will start expiring between June 2026 and October 2026.
What's expiring, and why it matters
Secure Boot relies on digital certificates stored in firmware (UEFI) to decide what's trusted during startup. The certificates issued back in 2011 were never meant to live forever, and Microsoft is now rotating them out for newer 2023 certificates.
Microsoft's message is basically: crypto ages, threats evolve, and leaving old credentials in place eventually turns them into a weak link. That's why certificate refreshes are standard practice in security — and Microsoft is treating this as a "generational refresh" of the root of trust.
"My PC will break?" No. But it can become less protected over time
This is the part that trips people up.
Microsoft says your PC should keep working normally even if those old certificates expire — apps still run, Windows still boots — but the device may enter what they call a "degraded security state." In that state, the machine can become increasingly limited in receiving future boot-level protections and could run into compatibility issues as newer firmware, operating systems, or Secure Boot–dependent software expects the newer trust chain.
So it's not a "June 2026 = instant brick" situation. It's more like: "June 2026 onward, the security ceiling lowers if you don't update."
How Microsoft is handling it: Windows Update is doing the heavy lifting
The good news is Microsoft isn't expecting most normal users to do anything special.
New Secure Boot certificates started rolling out through Windows 11 updates (including KB5074109), and Microsoft says they'll be installed automatically for the vast majority of Windows 11 users.
If you bought a newer PC (many devices shipped since 2024), there's a good chance those 2023 certificates are already present from the factory.
The few cases where it might not be fully automatic
Microsoft also points out that a small subset of systems may need extra steps:
• Some devices may require an OEM firmware update before the new certificates can be applied cleanly
So if you're using a "normal" consumer Windows 11 machine, you'll likely just get it through regular updates. If you're running specialized hardware, you'll want to watch OEM advisories and update guidance.
What you should do (without overthinking it)
For typical Windows 11 users:
• If you haven't updated in a long time, don't leave it until mid-2026
• Occasionally check your PC maker's support page for BIOS/UEFI updates (firmware still matters in Secure Boot land)
Final thoughts
This is one of those "boring but important" security moves. Microsoft is refreshing Secure Boot certificates before the 2011 set starts expiring, mainly to prevent devices from slowly sliding into a weaker boot-security posture that can't accept new protections later on. If you're on Windows 11 and you keep up with updates, you're probably already covered — and that's exactly the point.
Comments