Microsoft is preparing for the June 2026 expiration of original Secure Boot certificates, requiring many Windows users to update their system firmware to maintain essential device security protections.

Key Points

• Original Secure Boot certificates issued in 2011 are scheduled to expire across Windows devices in June 2026.
• Most Windows 11 PCs will receive updated UEFI CA 2023 certificates automatically through standard Windows Update channels.
• Older systems or unsupported Windows 10 devices may require manual firmware updates from OEMs to remain secure.
• Windows 10 users must be enrolled in the Extended Security Update (ESU) program to receive the necessary certificate patches.
• Users can verify their current certificate status by running a specific PowerShell command to check for the "Windows UEFI CA 2023" string.

Why it Matters

The expiration of these certificates poses a significant security risk, as outdated systems may face boot-phase vulnerabilities and potential software or driver compatibility failures. While PCs will not stop functioning immediately, failing to update could leave millions of older devices permanently exposed to security threats.