MICROSOFT is set to refresh Windows Secure Boot certificates with new ones rolling out from June 2026 as the current certificates reach end of life. Since Secure Boot relies on firmware-stored certificates, the old certificates will be retired and replaced across supported Windows versions via automatic updates.
According to Microsoft, OEMs have been provisioning updated certificates on new devices and many PCs shipped since 2024, with almost all devices shipped in 2025 already including them and requiring no action from customers. For a fraction of devices, a separate firmware update from the device manufacturer may be required before the new certificates delivered via Windows Update can be applied; customers should check their OEM support pages for the latest firmware.
Systems that do not receive the refreshed certificates before expiry will continue to work but may lose boot-level protections and eventual mitigations for new vulnerabilities. Windows 10 and older OS versions are no longer supported and will not receive the new certificates unless enrolled in Extended Security Updates.