Microsoft has confirmed that it will retire the original Secure Boot certificates issued in 2011, with replacement 2023 certificates rolling out via Windows Update beginning in April 2026. The change, first reported by PhoneWorld, aims to keep the early boot chain protected as the aging certificates approach their June 2026 expiration. For the first time, users will be able to check their device’s certificate status directly in the Windows Security app.

The Certificate Swap: What’s Happening to Your PC’s Secure Boot

Secure Boot is a firmware security feature that verifies every piece of software that loads during startup, from the UEFI firmware to the operating system kernel. It relies on cryptographic certificates and signature databases to ensure that only trusted code runs, creating a chain of trust that’s extremely difficult for malware to break. Those certificates, however, don’t last forever.

The 2011-vintage certificates that underpin Secure Boot on millions of PCs will begin expiring in June 2026. To prevent gaps in protection, Microsoft is pushing a fresh set of certificates issued in 2023. The updated trust material will be deployed through standard Windows Update channels, automatically reaching most consumer and unmanaged business devices. In many cases, the transition will be seamless—no BIOS menus, no manual downloads.

But not every PC is the same. Some systems will need additional firmware updates from their manufacturer before they can fully adopt the new certificates. Microsoft’s guidance makes clear that while the operating system side is handled automatically, the firmware layer may still require a separate update delivered by Dell, Lenovo, HP, or another OEM. This means even relatively modern laptops could show a warning if their firmware isn’t up to date.

The new certificates themselves won’t cause boot failures when the old ones expire. A device will continue to start and run Windows normally. However, without the 2023 certificates, the system won’t be able to receive future Secure Boot-related updates—leaving it increasingly vulnerable to new boot-level threats. That’s a subtle distinction, but a critical one.

What This Means for Your PC

For most home and small business users, the certificate update will look like any other Windows patch: it will download and install automatically in the background. The most visible change is a new status tile inside the Windows Security app, under “Device security” > “Secure Boot.” There, a simple green-yellow-red indicator will tell you whether your device is up to date, approaching the need for action, or already at risk.

If you see a red warning, don’t panic—but do take it seriously. It could mean your firmware needs an update, or that you’re running an older version of Windows that isn’t getting the new certificates. In either case, the Windows Security app will offer plain-language guidance on what to do next. Notifications will begin appearing in May 2026, giving you a month’s head start before the first certificates expire.

Enterprise IT departments face a more complex picture. The certificate transition is not a standard patch; it’s a compliance event that requires inventorying all endpoints, testing firmware compatibility, and coordinating with OEM support contracts. Managed devices that rely on custom images, locked-down update channels, or non-standard boot configurations may need manual intervention. Cloud PCs and Windows 365 instances add another layer, since their virtual firmware may need separate attention.

Microsoft has published separate guidance for IT professionals, including scripts for checking certificate status across fleets. The message is clear: assume nothing. Even devices that receive monthly Windows updates might not automatically get the new Secure Boot material if the firmware handoff fails.

Windows 10 users should pay special attention. Support for Windows 10 ends in October 2025, months before the certificate expiry window opens. Unless you’re enrolled in the Extended Security Updates (ESU) program for businesses, your system may stop receiving important security improvements—including the 2023 certificates. For unmanaged home users still on Windows 10, this creates a hard deadline to upgrade to Windows 11 or risk losing boot-level protections over time.

A Timeline 15 Years in the Making

Secure Boot first appeared in Windows 8, launched in 2012, but its roots go back to the 2011 certificate generation that’s now being retired. The feature was designed to combat bootkits and rootkits—malware that loads before the operating system and can evade traditional antivirus. By anchoring trust in firmware, Secure Boot made it exponentially harder for attackers to hide.

Over the years, the certificate ecosystem grew piecemeal, with Microsoft and OEMs adding signatures for new hardware and software. But the core trust anchors stayed the same. Now, 15 years later, that foundation needs a refresh. Certificate renewal is a normal part of public key infrastructure, and Microsoft has been planning this transition for years to avoid a last-minute scramble.

Past certificate changes—such as the periodic update of Windows root certificates—have been invisible to most users. This time, Microsoft is choosing a different path. By making Secure Boot status visible in a consumer-facing app, the company is acknowledging that firmware security is no longer the exclusive domain of IT admins. The average user needs to know, and the Windows Security app is the vehicle for that knowledge.

The rollout timeline is phased with care:

  • April 2026: Certificate status appears in Windows Security.
  • May 2026: System-level notifications begin alerting users if action is needed.
  • June 2026: The first 2011 certificates start expiring; the window of risk opens for unprepared devices.

This sequencing gives people time to notice, understand, and act—a pattern Microsoft has used for other major changes, like Windows Update health dashboards and end-of-support reminders.

Your Action Plan: Steps to Take Before June 2026

First, know that you likely don’t need to do anything right now if your Windows 11 PC is fully updated and automatic updates are enabled. The new certificates will arrive silently through Windows Update well before the deadline.

But complacency is the real enemy. Here’s a proactive checklist for staying ahead:

  1. Enable automatic updates. If you’re pausing or deferring updates, stop. Go to Settings > Windows Update and turn on “Get the latest updates as soon as they’re available.”
  2. Check your Secure Boot status today. Open the Windows Security app, navigate to “Device security,” and look for the Secure Boot section. Even if the certificate tile hasn’t appeared yet, verify that Secure Boot is enabled. If it’s off, turn it on—but be aware this may require a trip to your UEFI firmware settings.
  3. Update your firmware. Visit your PC manufacturer’s support website and check for UEFI/BIOS updates. Many OEMs push these through Windows Update, but not all. An outdated firmware version is the most likely obstacle to receiving the 2023 certificates.
  4. If you’re on Windows 10, plan your upgrade now. With support ending in October 2025, you’ll want to be on Windows 11 long before June 2026 to ensure continuous security coverage. Microsoft’s PC Health Check tool can confirm compatibility.
  5. For IT admins: Start inventorying your fleet. Use Microsoft’s provided scripts to check certificate status remotely. Identify devices that may lag due to custom images or third-party security software. Open a support case with your OEM to understand their firmware update timelines. Don’t wait until the notifications start appearing.

A critical point to remember: a PC that boots normally is not necessarily a secure PC after June 2026. The absence of boot failures does not mean the certificate transition succeeded. Only the Windows Security app will give you reliable confirmation.

The Road Ahead: More Than a One-Time Fix

Microsoft’s Secure Boot overhaul signals a broader shift toward lifecycle-managed firmware security. The Windows Security app is gradually becoming a central dashboard not just for antivirus and firewall status, but for deep hardware trust indicators. Future updates may surface similar checks for TPM health, kernel DMA protection, or memory integrity status—all in plain language.

The Edge auto-launch reports that surfaced alongside these security changes are a reminder that user trust is fragile. If Windows Update is perceived as intrusive or unpredictable, people may delay even critical security patches. Microsoft must balance its desire to guide users with the need for a predictable, respectful update experience. That balance will be tested as the May 2026 notifications arrive.

Still, the certificate migration itself is a necessary and well-planned step. It closes a gap that has been widening for over a decade, and it does so in a way that acknowledges the different realities of home users, business fleets, and legacy systems. The true measure of success will be quiet: millions of devices seamlessly moving to the new trust chain without anyone noticing the underlying complexity. For a security feature that lives at the deepest layer of the PC, that’s exactly the outcome Microsoft is aiming for.