Microsoft is preparing a broad update to the secure boot infrastructure on Windows PCs by refreshing the Unified Extensible Firmware Interface secure boot certificates that control which software is allowed to start the boot sequence. Millions of Windows PCs in circulation will receive new secure boot certificates in an industry-wide gradual rollout that is intended to replace aging certificates before they expire. The original secure boot certificates introduced way back in 2011 are reaching the end of their planned lifecycle, with the expiration date set for late June 2026, which creates a hard deadline for ensuring that devices are updated and remain protected at startup.
Microsoft describes the effort as one of the largest industry collaborations across the Windows ecosystem, involving servicing, firmware updates and a wide range of device configurations from original equipment manufacturers and other hardware makers. Firmware vendors are central to the process, as they must deliver new UEFI BIOS patches that replace the aging secure boot certificates embedded in existing systems. The coordination between Microsoft, firmware providers and hardware partners is intended to make the transition largely invisible to end users while preserving the integrity of the secure boot chain.
OEMs have already been provisioning updated certificates on new devices, with some devices from 2024 and almost all PCs from 2025 updated to support the new certificate as they ship. Older PCs and devices that were shipped prior to these years are also included in the plan, with major OEMs providing their own guidance on how customers should apply the certificate updates through firmware or support tools. Users who do not yet see an update available from their OEM are advised to be patient, as the rollout is designed to be gradual across the global Windows installed base.
