X

Windows Secure Boot Certificates From 2011 Will Be Expiring Soon. What You Need to Know

You're probably all set, but you should still probably check and update if necessary.

Headshot of Lori Grunin
Headshot of Lori Grunin
Lori Grunin Senior Editor / Advice
I've been reviewing hardware and software, devising testing methodology and handed out buying advice for what seems like forever; I'm currently absorbed by computers and gaming hardware, but previously spent many years concentrating on cameras. I've also volunteered with a cat rescue for over 15 years doing adoptions, designing marketing materials, managing volunteers and, of course, photographing cats.
Expertise Photography | PCs and laptops | Gaming and gaming accessories
Lori Grunin
4 min read
HP OmniBook Ultra 14 laptop displayed on a multicolor background.
Matt Elliott/CNET

In June 2025, Microsoft announced that, in June 2026, it would begin deprecating Secure Boot certificates of Windows systems from 2011, which were superseded by their 2023 counterparts.

As the clock counts down, it's time to do some housecleaning to prevent potential issues later this year. If you have a system managed by your company or school, your system administrators should be handling the process, which is different than for personal computers.

What are the certificates for?

Together, these four certificates verify that a system's initial boot processes -- the software loaded directly by the system even before Windows starts -- haven't been tampered with.

They're used by Secure Boot, a standard platform incorporated into the firmware of all modern Windows systems and enabled or disabled by the Unified Extensible Firmware Interface, which is enabled by default. A mismatch doesn't necessarily mean that malicious code is being loaded or executed -- just that the system can't rule it out.

When is this happening?

Certificates will begin expiring in June 2026 and continuing through October 2026.

Which versions of Windows does this apply to?

Generally, this will apply to all versions of Windows 10 1607 or later and Windows 11. (You can find detailed lists on Microsoft's site.) But to receive the certificate updates for Windows 10, you need to have enrolled in the Extended Security Updates program.

What do I need to do?

Probably nothing. In a lot of cases, they're probably already current: Windows will have automatically updated them as long as Secure Boot is enabled, and automated updates are slated to continue through the year. 

Unlike the unstoppable virus definition updates, though, the certificates are part of the normal, pauseable update process. They're BIOS updates.  

Microsoft will starting rolling out updates to its Windows Security app this month, so that you no longer need to jump through hoops to figure out your device's status. In the Device security section you'll see a status badge on the secure boot icon -- along with more descriptive information about the issue. More detailed information and controls are slated for a May update as well.

secure-boot-status.png

The secure boot status indicator badges can be found in the Device security section.

 Screenshot by Lori Grunin/CNET

Similar badges should also appear on the Windows Security icon in your system tray.

The updated text will tell you if the certificates are up to date (green), if your certificate can't be updated automatically because something's preventing it (yellow) or if your system can't receive the updates anymore (red) -- the latter may be because you have to enroll in the ESU program. 

How to find the current versions differs, so you may have to do some poking around. Until those changes happen your alternative is to check your BIOS version to verify if it's the most recent and when it was updated.

The certificate updates began rolling out in 2024, so if you have a recent version of the BIOS, which is much easier to check, you should be okay. (Paste msinfo32 into the search field of the Windows start menu, and the BIOS date is listed, for instance.)

If you've been adjusting settings to reduce the update frequency, you should make sure you haven't somehow managed to skip them. If Secure Boot has been disabled, it might not have updated them, either.

If you've got a system that you haven't turned on in a while, it's probably worth booting and making it current just to avoid future problems.

What if they're not current?

After ensuring Secure Boot is enabled and running Windows update, if they're still not correct and you've got a yellow indicator (when it's available), then you'll probably need to find instructions for your particular computer or motherboard (if you've built your own). 

At the moment, Microsoft provides links for a handful of manufacturers, but hopefully a more streamlined process will be available in May.

What happens if I don't update?

Expired certificates will definitely prevent Windows from keeping boot-time security features and databases current, which may open your system up to vulnerabilities. But the certificates only verify and identify that code that doesn't match what it expects to see.

They don't prevent code from loading or executing. Rather, other layers of software determine how to respond. The response can be anything from merely triggering a notification in Event Viewer to potentially interfering with the way software runs (such as Windows' BitLocker disk encryption), which is dictated by what's installed on your system and which Windows features are enabled.

An enterprise-managed laptop, for example, tends to have multiple layers of security, which may prevent you from doing almost anything, while a personal system may just give a metaphorical shrug. And if Secure Boot is disabled, nothing should be affected.