WINDOWS’ original Secure Boot certificates are set to expire in June and October 2026, a fact Microsoft has highlighted in a post published on 10 February 2026. The expiry could cause problems for PCs that do not pull down the new certificates before the June 2026 deadline, with the risk that devices enter a degraded security state and may be unable to install future boot‑level protections or boot newer operating systems that rely on the 2023-era certificates.
For most systems, Microsoft is relying on Windows Update to provide updated certificates, and newer devices may already be using the new certificates without users realising it.
According to Nuno Costa, a program manager in Microsoft’s Windows Servicing and Delivery division, “the device will enter a degraded security state that limits its ability to receive future boot-level protections.” The article also notes that Dell, HP, Lenovo, Microsoft and Asus have guidance and that checking via PowerShell can reveal whether a PC has the new certificates baked into its firmware, with commands provided to verify the status of the active db and the default db.
It also advises ensuring Secure Boot is enabled, checking for firmware updates, and, for older machines, potentially resetting Secure Boot keys in the BIOS or enrolling in ESU where relevant.