Windows Secure Boot Certs Expire in June: What You Must Do

Microsoft's Remediation Plan

Microsoft has developed a phased remediation plan that involves distributing new certificates through both Windows Update and firmware updates from hardware manufacturers. The plan has three stages.

Phase 1: Certificate Distribution (Now through April 2026)

Microsoft is distributing updated certificates through Windows Update as a preparatory measure. The update installs the new certificates into the system's UEFI Secure Boot database alongside the existing certificates, ensuring that both old and new certificates are trusted during the transition period. This update requires a system restart to take effect and must be applied before the old certificates expire.

Phase 2: Bootloader Re-Signing (April through June 2026)

Microsoft will release new versions of the Windows bootloader signed with the updated certificates. These new bootloaders will be distributed through Windows Update and will replace the existing bootloader files on the system's EFI System Partition. Systems that have already received the new certificates from Phase 1 will boot seamlessly with the new bootloader.

Phase 3: Old Certificate Revocation (After June 2026)

After the transition period, Microsoft plans to revoke the expired certificates through a Secure Boot Forbidden Signature Database update. This step is optional and will be deployed gradually to ensure that all systems have had adequate time to transition. Revoking the old certificates prevents them from being exploited by malware that attempts to use bootloaders signed with the compromised certificates.

What Individual Users Should Do

For individual Windows users, the most important action is to ensure that their system is receiving and installing Windows Updates. The certificate update will be delivered as a critical update and will be installed automatically on systems with default Windows Update settings. Users who have disabled automatic updates or deferred updates should manually check for and install all pending updates before June 2026.

Additionally, users should check with their PC manufacturer for UEFI firmware updates. Many manufacturers are releasing firmware updates that include the new certificates and address other Secure Boot issues. These updates are typically available through the manufacturer's support website or through built-in firmware update utilities.

Steps for Home Users

The following checklist will help individual users prepare for the certificate transition. First, open Windows Update and install all pending updates. Second, visit the PC manufacturer's support website and check for available BIOS or UEFI firmware updates for the specific model. Third, if a firmware update is available, follow the manufacturer's instructions to install it, taking care not to interrupt the process. Fourth, after installing updates, verify that Secure Boot is still enabled by opening the System Information utility and checking the Secure Boot State field. Fifth, create a recovery drive as a precaution in case the boot process is disrupted during the transition.

Enterprise IT Considerations

Enterprise IT administrators face a more complex challenge. Large organizations typically manage thousands of PCs across multiple hardware platforms and firmware versions, making it impractical to manually update each system. Microsoft recommends that enterprise administrators inventory their Secure Boot certificate status across all managed devices, test the certificate and bootloader updates in a staging environment before broad deployment, develop a rollback plan in case the update causes compatibility issues with specific hardware or firmware configurations, and coordinate with hardware vendors to obtain firmware updates for all platforms in the fleet.

Microsoft has published detailed technical documentation and PowerShell scripts that administrators can use to query the Secure Boot certificate status of managed devices and identify systems that require attention. The company is also offering direct support through Premier and Unified support contracts for enterprises that need assistance with the transition.

The Broader Security Lesson

The Secure Boot certificate expiration serves as a reminder that even foundational security mechanisms have finite lifespans and require ongoing maintenance. The original 15-year certificate validity period seemed generous when these certificates were issued in 2011, but the longevity of modern hardware means that many systems outlive the security credentials they were built with. As the technology industry moves toward longer hardware lifecycles driven by sustainability goals, the management of security certificate lifespans will become an increasingly important consideration for both manufacturers and users.

This article is based on reporting by msrc.microsoft.com. Read the original article.