Microsoft, in close collaboration with device manufacturers and the UEFI Forum, has initiated a comprehensive refresh of Secure Boot certificates across the Windows ecosystem, automatically deploying updated 2023 certificates through monthly Windows updates to replace aging 2011 versions set to expire starting in late June 2026.
This industry-wide effort, detailed in a February 10, 2026, Windows Experience blog post, represents the first coordinated maintenance of Secure Boot’s root of trust since its introduction in Windows 8, involving Windows servicing, firmware updates, and configurations for millions of devices from original equipment manufacturers (OEMs). Secure Boot, a foundational security feature, verifies digitally signed software at startup to protect against threats, relying on certificates stored in PC firmware. The original certificates, Microsoft Corporation KEK CA 2011 (expiring June 24, 2026), Microsoft Corporation UEFI CA 2011 (June 27, 2026), and Microsoft Windows Production PCA 2011 (October 19, 2026), have served for over 15 years but are nearing the end of their lifecycle to align with evolving cryptographic standards.
The rollout began with regular patch cycles in January 2026 for in-support Windows devices used by home users, businesses, and schools with Microsoft-managed updates, with organizations able to manage the process via their preferred tools. OEMs have provisioned the new certificates on most PCs built since 2024 and nearly all shipped in 2025, requiring no action from those users. The phased approach includes testing, staged data-based deployment, and firmware improvements for safe application, ensuring minimal disruption. Devices without the update will enter a degraded security state post-expiration, unable to install new mitigations for boot-level vulnerabilities and facing potential compatibility issues with future OS, firmware, hardware, or Secure Boot-dependent software, though they will still boot normally.
Also Read: Microsoft Ends ‘Send to Kindle’ Integration in Word Starting February 2026
Unsupported Windows versions, such as Windows 10 after its end-of-support date on October 14, 2025 (excluding those with Extended Security Updates), will not receive the new certificates or updates. For specialized systems like servers or IoT devices, separate evaluation may be needed. A fraction of devices may require a separate firmware update from the OEM before applying the certificates via Windows Update.
OEM testimonials underscore the collaboration: Dell Technologies highlighted early planning for seamless transitions, HP emphasized firmware updates for Windows 11 devices to minimize disruption, and Lenovo noted coordinated efforts to protect customers without business interruption. Microsoft provides resources like the Secure Boot Playbook and a dedicated site (aka.ms/GetSecureBoot) for guidance, recommending users check OEM support pages for firmware updates and monitor certificate status in the Windows Security App (messages forthcoming). Organizations should use the IT administrator playbook for deployment and validation.
This refresh ensures a secure foundation for future innovations, maintaining Secure Boot’s reliability through ongoing industry partnerships.
As cybersecurity threats evolve, this proactive certificate update could influence broader ecosystem standards, but it highlights the need for users on older systems to upgrade to supported versions like Windows 11 for optimal protection.
