Microsoft recently reminded users that the encryption certificate used for Secure Boot in the Windows ecosystem is about to undergo an upgrade. The initial Secure Boot certificate, which has been used for more than 15 years since the launch of Windows 8, will expire in June 2026 and must be replaced by a new certificate to maintain security during the system startup phase.
Secure Boot is a firmware-level security feature introduced as part of the UEFI specification. Its core purpose is to prevent potentially malicious boot code from being loaded before the operating system starts. Therefore, its root of trust (certificates and keys) needs to be updated regularly to avoid old credentials becoming a weak point in attacks due to cryptographic aging. Nuno Costa, program manager of Microsoft's Windows Services and Delivery Department, said in the official blog that retiring old certificates and introducing new certificates is a standard practice in the industry and helps the platform always comply with modern security expectations.
Microsoft actually released a new version of the Secure Boot certificate in 2023, but the original certificate has been responsible for validating the boot process since Windows 8. Users and enterprises can obtain new certificates through a variety of trusted channels, including UEFI firmware updates released by motherboard manufacturers. At the same time, Microsoft will also integrate the new certificates into monthly patches and security updates, which will be automatically distributed through Windows Update. Enterprise environments can use various management tools to customize the push process. Microsoft describes this certificate update as one of the largest coordinated security maintenance operations in the Windows ecosystem.
Since Secure Boot runs at the firmware layer and directly affects how the PC boots up, this upgrade requires Microsoft to work closely with hardware manufacturers, OEMs, and other partners to update the firmware for millions of Windows devices to avoid chain reactions such as widespread boot failures. Devices still in Microsoft's support cycle (including Windows 11 and Windows 10 machines participating in the Extended Security Update Program) can receive the new certificate through Windows Update, while older PCs will not be able to install this update and will be relatively less secure.
Costa pointed out that devices still relying on the old 2011 certificate will still boot normally in the short term, but will be considered to be in a "downgraded" security state, and such devices may not receive new firmware-level protection capabilities in the future. As new boot layer vulnerabilities are discovered, if corresponding mitigation measures cannot be installed, the exposure of related systems will continue to expand, and may even cause compatibility issues in the long run. For example, updated operating systems, firmware, hardware, or software that relies on Secure Boot will not be able to load. PC manufacturers such as Dell have provided instructions for checking whether the system supports the new Secure Boot certificate to facilitate users to confirm the status of their devices.
For computers that do not enable Secure Boot at all, daily operations will generally not be directly affected. However, Secure Boot has encountered many serious security incidents since its birth, including "PKfail", which exposed implementation and management challenges. Nevertheless, this mechanism is increasingly becoming a mandatory requirement for some online games and MOBAs, which means that users running Linux or older but still sufficiently powerful gaming hardware may face exclusion or higher barriers to entry when participating in these new generation games.