Microsoft is updating Secure Boot certificates to close security gaps before they can be exploited—if you purchased a PC last year, you’re likely already covered

Microsoft is distributing fresh Secure Boot certificates to Windows PC users, since the original certificates are nearing the conclusion of their scheduled 15-year lifecycle and will expire in June 2026.

The company has been distributing new certificates through Windows updates for individuals, businesses, and schools, enabling Microsoft to handle their updates.

Secure Boot is a procedure that executes during startup, before Windows loads, and employs cryptographic keys to ensure only authorized software is allowed to run. In a blog post, Nuno Costa, the partner director for Windows servicing and delivery, notes that "phasing out outdated certificates and deploying new ones is a common industry practice that safeguards against expired credentials Prevents it from becoming a vulnerability and ensures platforms stay in line with modern security expectations.

But if you purchased a PC in 2025, you’re likely already prepared. Costa notes that Microsoft has been collaborating with OEM partners, who have been acquiring new certificates since 2024. Machines from OEMs beginning in 2024 and "almost all" systems shipped in 2025 already come with the new Secure Boot certificates, so if you purchased one of the best ultrabooks or best gaming laptops, you should be unaffected.

If you allow Microsoft to manage your PC updates, your certificates will be installed via the regular Windows update process. Microsoft also advises making sure you have the most recent firmware from the vendor’s support pages. Microsoft notes that certain servers or IoT devices might run distinct processes, and a "fraction of devices" could need firmware updates from manufacturers prior to applying new Secure Boot certificates. Via Windows Update.

If your certificate expires, your PC will still operate normally, but its security will be at risk.

"As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations," Costa writes. Over time, this could also result in compatibility problems, since newer operating systems, firmware, hardware, or software reliant on Secure Boot might not load properly.

If you're using an unsupported version of Windows, such as Windows 10, whose support concluded in October 2025, you won't receive Windows updates, including the latest Secure Boot certificates. (That is, except for individuals and companies participating in the Extended Security Updates program).

That also gives Microsoft another opportunity to urge its customers to move to Windows 11, this time for security reasons: "We continue to encourage customers to always use a supported version of Windows for best Performance and security.

IT professionals have long prioritized certifications. Back in November, the Windows IT Pro blog unveiled a "Secure Boot playbook."

Although some recent Windows updates have caused system instability or other problems, you’re still better off maintaining your system with the latest updates, particularly if they impact your computer’s security for years ahead.

Follow 3DTested on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.