Microsoft is preparing for a major security transition across the Windows ecosystem, detailing how updated Secure Boot certificates will be delivered to PCs through a combination of Windows updates and new firmware‑level servicing capabilities. The company explained the plan in a recent Windows Experience Blog post, positioning the effort as a routine but significant refresh of the cryptographic trust anchors that protect Windows during startup.
Secure Boot has been part of Windows for more than a decade. It verifies that only trusted, signed code can run before the operating system loads, and it relies on certificates stored in a device’s firmware to establish that trust. Those original certificates are approaching the end of their planned lifecycle and begin expiring in June 2026. Microsoft says the update is necessary to maintain the integrity of the Secure Boot chain and to keep Windows aligned with modern security expectations.
How the Update Will Roll Out
According to Microsoft, the transition has been in development for several years and involves coordination with PC manufacturers, firmware vendors and enterprise IT teams. Many newer devices already ship with the updated certificates. The company notes that most PCs built since 2024, and nearly all systems released in 2025, include the refreshed trust anchors and will not require additional steps from users.
For existing devices, Microsoft has begun distributing the new certificates through standard Windows Update channels. Home users and organizations that rely on Microsoft‑managed servicing will receive the update automatically. Enterprises that manage updates manually can deploy the certificates using their preferred tools.
Some devices will also require a firmware update from the manufacturer before Windows can apply the new certificates. Microsoft advises users and IT administrators to check OEM support pages to ensure their systems have the latest firmware available.
What Happens If Devices Are Not Updated
Microsoft says devices that do not receive the updated certificates will continue to function, but their Secure Boot protections will gradually degrade. Once the older certificates expire, the system will no longer be able to validate new Secure Boot‑signed components. Over time, this may affect compatibility with newer versions of Windows, updated firmware or software that depends on Secure Boot trust.
The company stresses that certificate rotation is a standard industry practice. Retiring aging cryptographic material and replacing it with stronger, modern certificates helps maintain the long‑term security of the platform.
For most consumers, the update should be seamless. Windows Update will deliver the new certificates automatically, and no user action is expected unless a device requires a separate firmware update.
Organizations with managed fleets have more flexibility. Microsoft recommends that IT teams inventory their devices, confirm Secure Boot status, and test certificate deployment on a subset of systems before rolling it out broadly. The company also notes that enterprises can choose between Microsoft‑managed servicing or manual deployment depending on their operational needs.
While the Secure Boot certificate update is not tied to a specific vulnerability, it represents a foundational maintenance step for the Windows security model. By coordinating firmware and operating system updates across the ecosystem, Microsoft aims to ensure that Windows devices remain protected from the earliest stages of the boot process.
For users, the transition should be largely invisible. For the Windows ecosystem, it marks one of the most extensive firmware-level servicing efforts since the introduction of Secure Boot.
