Secure Boot certificates expire in 2026 – why you should act now

Secure Boot is one of those security features that quietly does its job in the background. When everything works, you barely notice it and that’s exactly the point. But the mechanism is back in the spotlight: Secure Boot certificates on Windows devices will begin to expire in June 2026.

This is not a reason to panic, and it is not an immediate security incident. It’s a planned, well-known end to a certificate lifecycle, and a good reminder to make sure you’re prepared well before the deadline.

In short, Secure Boot helps ensure a Windows device starts only with trusted, signed code. Very early in the boot process—before the operating system loads—it validates that the firmware, bootloader, and other critical components come from a legitimate source.

It relies on certificates that form a chain of trust—helping block threats such as bootkits and rootkits from gaining a foothold before Windows and endpoint security tools have even started.

Like any certificate, Secure Boot certificates don’t last forever.

Microsoft’s Secure Boot certificates introduced in 2011 will start to expire in June 2026. Replacement certificates created in 2023 are already available and should be in place before the older certificates reach the end of their validity.

If the new certificates aren’t installed in time, devices won’t suddenly stop working. Windows will still boot, and you can continue installing normal updates. What changes is more subtle but important: the device can no longer receive new Secure Boot–related security updates.

In other words, your boot-level protection becomes effectively frozen in time even as the threat landscape keeps evolving.

The good news: many Windows devices manufactured from 2024 onwards already ship with the 2023 Secure Boot certificates. In those cases, no special action is typically needed.

For older devices, Microsoft aims to deliver the new certificates primarily via monthly Windows updates. At the same time, many hardware manufacturers are releasing BIOS/UEFI updates together with Microsoft to ensure the new certificates are handled correctly at the firmware level.

Enterprise fleets are rarely perfectly uniform. You’re dealing with different hardware generations and, often, specialized Windows versions that don’t always fit neatly into standard, automatic update paths.

That’s why the 2026 certificate expiry is a great prompt to validate your readiness now. Practically speaking, organizations need a reliable overview of their device estate, visibility into update coverage, and a controlled, auditable process for deploying the new certificates when required.

The June 2026 Secure Boot certificate expiry isn’t a crisis, but it is a firm milestone. Organizations that get ahead of it now avoid last-minute firefighting and keep boot-level protection current—so they’re ready for whatever comes next.

Right now is an excellent time to check where you stand, make the necessary preparations, and let Secure Boot keep doing what it does best: protecting quietly, reliably, and continuously.

There are several supported ways to update Secure Boot certificates. The recommended approach is Microsoft Intune, which provides centralized, controlled deployment and reporting. Alternatively, certificates can be deployed by setting registry keys via scripts, through the Windows Configuration System (WinCS) using the command line or PowerShell, or via Group Policy in more traditional environments. The right approach depends on your management model and the shape of your device estate.

If you need support with planning the Secure Boot certificate update, validating coverage across your device estate, or handling the practical rollout, we’re happy to help. Let’s discuss the most effective path forward for your environment.