.png)
2 hours ago
1
About three months ago, Microsoft published a blog post about expiring Secure Boot certificates and explained why the issue is important and what you need to know about it. Now, as we get closer to the day X, the company has published a new support document with more details about the matter.
Microsoft introduced Secure Boot in 2011 as a new method to ensure your computer boots using verified firmware and a trusted bootloader. Years later, Secure Boot became one of Windows 11's hardware requirements alongside Trusted Platform Module as part of Microsoft's push to make devices more secure.
The first Secure Boot certificates are valid for 15 years, and they are about to expire in June 2026. Expired certificates are a big deal because, without them, Windows cannot apply certain updates, which leaves your system vulnerable to BootKits and other malware.
Updating certificates is not something your average Joe does on a regular basis. As such, Microsoft prepared a detailed FAQ section where it answered all the possible questions about expired certificates and what to do with them. If you own a regular home PC that gets updates via Windows Update, there is pretty much nothing to worry about, as Microsoft will make all the necessary updates in the background (another reason why you should not disable Windows Updates for long periods).
If you are on Windows 10 and you do not plan to upgrade to Windows 11, enrolling in the Extended Security Updates program is a must to get updated certificates. The only exception is supported Windows 10 LTSC/LTSB releases, which will continue receiving security updates past October 14, 2025. Microsoft makes it clear that unsupported Windows versions will not get new Secure Boot certificates.
The new FAQ section also addresses the question about upgrading Windows 10 LTSC to Windows 11 LTSC with Secure Boot turned off and an expired certificate. Microsoft explains that such devices will not receive new certificates, and users will have to "follow specific migration steps relevant at that time" to ensure their systems have the 2023 certificates.
There is another important area that the FAQ document explains, which is about PCs that cannot boot after resetting the firmware. Microsoft explains that systems that already use a boot manager with the 2023 certificates will stop booting if users reset firmware to defaults that do not include the Windows UEFI CA 2023 certificate. This can be mitigated by reapplying the certificate using a recovery USB (explained in detail in this document).
You can read all the questions and answers about expiring Secure Boot certificates in the official document here.
