Microsoft’s original Secure Boot certificate chain—the cryptographic bedrock that ensures your PC only boots trusted software—will begin expiring in June 2026, with the Windows boot-loader certificate following in October. For the vast majority of Windows users, these expirations will be a non-event thanks to automatic updates that renew the trust chain well before the deadlines. But for those running older, unpatched systems or custom boot configurations, the clock is ticking.

The Expiration Timeline at a Glance

Three critical dates now sit on the horizon for every Windows PC that relies on Secure Boot:

  • June 24, 2026 – The root certificate from Microsoft’s original 2011 Secure Boot key hierarchy expires.
  • June 27, 2026 – A second root certificate, used as an alternate root, also expires.
  • October 19, 2026 – The certificate that signs the Windows boot loader (bootmgfw.efi) expires.

These dates aren’t arbitrary. They reflect the 15-year lifespan built into the original Secure Boot certificate chain when it was first introduced alongside Windows 8 in 2011. Now, nearly a decade and a half later, that clock is running out, and the expiry forces a long-planned transition to a newer certificate hierarchy.

What Is Secure Boot and Why Does a Cert Expiry Matter?

Secure Boot is a UEFI firmware security feature that verifies the digital signature of every piece of code loaded during the boot process—from the firmware itself to the operating system’s boot loader. If the signature doesn’t match a trusted certificate, the firmware refuses to load the code, blocking rootkits and bootkits before they can launch.

Think of certificates as digital passports. The root certificate is the ultimate authority; it signs the intermediate certificates, which in turn sign the boot-loader certificate. When any of these expire, the firmware treats them as invalid—like a passport that’s past its expiry date. An expired boot-loader certificate would prevent Windows from starting, leading to a “Secure Boot Violation” or similar blue-screen error.

How Microsoft Is Keeping Your PC Booting

Microsoft has been preparing for this rollover for years. The company isn’t waiting for the certificates to die; it’s already pushing updated certificates through Windows Update and UEFI firmware updates from device manufacturers. Here’s how the renewal works in practice:

  • Windows Update delivers new boot loaders – Starting well before the 2026 dates, cumulative updates included fresh versions of bootmgfw.efi signed with a new certificate that chains up to a new root. These are typically bundled into monthly security updates, so any system that applies the latest patches automatically gets the new signed boot files.
  • DB/DBX updates in the UEFI firmware – The UEFI Secure Boot signature database (DB) and forbidden signature database (DBX) get updated with the new certificates and, in some cases, revoked old ones. These updates often come via firmware capsules from your PC or motherboard vendor. Windows Update can also deliver certain DB/DBX updates directly on modern systems.
  • New root certificate already present – Microsoft initially included a replacement root certificate in Windows 8.1 and Server 2012 R2, then made it broadly available. This new root (often called the “Windows UEFI CA 2023”) has a lifespan stretching into the 2030s, giving everyone plenty of headroom.

In short, if your Windows 10 or Windows 11 PC is actively receiving updates—and if you’ve installed recent firmware from your OEM—you already have the new certificate chain. The old certificates expiring in 2026 are simply being deprecated; the new ones will take over seamlessly.

Who Is Actually at Risk?

Despite the broad safety net, a few corners of the Windows ecosystem may still trip over these expirations:

  1. Systems stuck on pre-Windows 8.1 UEFI firmware – Some early Windows 8-era PCs might not have the updated root certificate in their firmware DB. If the OEM never released a firmware update (and many older consumer devices are abandoned after 3–5 years), those machines might not trust the new boot loader once the old root expires. A subsequent Windows Update that pushes the new bootmgfw.efi could brick the boot process on such hardware.
  2. Custom-built or dual-boot setups – Enthusiasts running custom UEFI configurations, multiple operating systems, or self-compiled boot loaders may not automatically receive DB/DBX updates. They might need to manually enroll the new Microsoft root or toggle Secure Boot off to keep booting.
  3. Enterprise images that lock down UEFI – Organizations that use a locked-down UEFI policy and don’t allow firmware updates from Windows could block the necessary DB updates. IT admins must test and deploy updated firmware images before the 2026 cutoff.
  4. Virtual machines – While Hyper-V, VMware, and VirtualBox generally use a virtualized Secure Boot that follows the host’s updates, some VM configurations might rely on older templates. Admins should ensure guest VMs pull the latest boot modules.

Microsoft has stated that “most Windows PCs will keep booting normally,” and that’s true: the update mechanism is robust. But “most” is not “all,” and the long tail of unpatched or orphaned hardware will certainly feel the pinch.

The October 2026 Boot-Loader Certificate: The Real Flashpoint

While the root certificate expirations are handled transparently by back-end trust chains, the boot-loader certificate expiry on October 19, 2026, is more visible. Every time Windows boots, the firmware checks the signature on bootmgfw.efi. If that certificate has expired—and if the firmware hasn’t been told to trust the replacement—the boot fails.

Microsoft’s mitigation is straightforward: ship a new bootmgfw.efi signed with a certificate that chains to the new root, and push it via Windows Update well before October. The tricky part is ensuring the firmware’s DB contains the new root. That’s where OEM firmware updates become essential. Fortunately, devices that support Windows 11 (which requires TPM 2.0 and a relatively modern UEFI) likely already have the new root; many Windows 10 devices received it through cumulative updates as far back as 2023.

Real-World Precedents: The 2023 Boot Manager Revocations

This isn’t the first rodeo. In May 2023, Microsoft revoked several old boot managers vulnerable to the “BlackLotus” bootkit, enforcing new DBX entries that blocked those binaries. That change caused headaches for a small number of users with outdated boot media or recovery partitions, but it also proved that the update ecosystem works: the overwhelming majority of devices absorbed the revocation without a hiccup.

The 2026 certificate expirations are a much softer event because they don’t involve revocations—just a natural expiry that triggers a planned move to newer certificates. If anything, the industry has learned from past Secure Boot migrations and is better prepared.

What You Should Do Right Now

For most consumers, the answer is simple: do nothing beyond keeping Windows Update on and occasionally checking your OEM’s support page for a firmware update. But a few concrete steps can eliminate surprises:

  • Confirm you’re running the latest Windows version – Open Settings → Windows Update and install all available updates, especially anything labeled “cumulative” or “security.” These often contain critical boot-loader updates.
  • Check your UEFI firmware version – On Windows 10/11, run msinfo32.exe and note the “BIOS Version/Date” line. Then visit your PC manufacturer’s support site, enter your model or service tag, and compare dates. If a firmware update from mid-2023 or later is available, install it.
  • Avoid disabling Secure Boot – Some online guides suggest turning off Secure Boot as a workaround. Unless you’re absolutely stuck on unsupported hardware, keeping Secure Boot enabled is safer and ensures you’ll receive future DB updates.
  • Test your boot chain – Power users can open a PowerShell prompt and run Confirm-SecureBootUEFI. A $True result means Secure Boot is on and your current configuration is valid. For a deeper dive, mount your EFI system partition and inspect the signature on \EFI\Microsoft\Boot\bootmgfw.efi using sigcheck.exe from Sysinternals—though this is overkill for most.
  • Businesses and IT admins – Audit your fleet. Use tools like Windows Update for Business, Microsoft Intune, or Configuration Manager to verify that all managed endpoints have installed recent updates. Create a pilot group for firmware updates and test boot loops before broad deployment. Consider setting a deadline for UEFI updates well before October 2026.

The Bigger Security Picture

Certificate expiration isn’t a bug; it’s a feature. The finite lifespan forces a periodic refresh of cryptographic material, reducing the window that stolen or compromised certificates can be used. Microsoft’s 15-year horizon was generous—many certificate authorities now issue TLS certificates valid for only a year—and the move to a new root with stronger keys and more modern algorithms only strengthens the platform.

What’s less ideal is the fragmented update model for UEFI. Unlike the operating system, firmware updates still rely heavily on each OEM, and not all vendors are diligent. The lack of a unified, mandatory firmware update system remains a weak point, and it’s one reason why some perfectly capable PCs will eventually fall out of Secure Boot compliance through no fault of the user.

Looking beyond 2026, Microsoft is already working on a third-generation Secure Boot CA—sometimes referred to as the “Windows UEFI CA 2030s”—which will further decouple boot-loader signing from operating system version updates. That evolution points toward a future where certificate rollover becomes as routine as any other monthly patch.

Summary

Microsoft’s original Secure Boot certificate chain expires across three dates in June and October 2026, but the vast majority of updated Windows PCs are already protected by a newer certificate hierarchy. Users on older, unpatched hardware or custom boot configurations need to verify they’ve received both Windows Updates and OEM firmware updates to avoid boot failures. The event underscores the importance of consistent firmware and OS updates in maintaining platform security.