Microsoft is refreshing Secure Boot certificates to plug security holes before they happen — if you bought a PC last year, you should be set

News
By published

Be sure to keep Windows 11 systems updated to get refreshed security certificates.

Windows 11
(Image credit: Microsoft)

Microsoft is issuing new Secure Boot certificates to Windows PC users, as the initial certificates are reaching the end of a planned lifespan after 15 years and are set to expire in June 2026.

The company has been issuing new certificates as part of Windows updates for personal users, businesses, and schools that let Microsoft manage their updates.

Secure Boot is a process that runs at startup, prior to Windows loading, and uses cryptographic keys to verify that only trusted software can run. In a blog post, Nuno Costa, the partner director for Windows servicing and delivery, writes that "Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations."

But if you bought a PC in 2025, you're probably already set. Costa writes that Microsoft has been working with OEM partners, which have been obtaining new certificates since 2024. Machines from OEMs starting from 2024 and "almost all" systems shipped in 2025 already have new Secure Boot certificates. So if you bought one of the best ultrabooks or best gaming laptops, you should be in the clear.

If your certificate expires, your PC should function as expected, though its security will be compromised.

"As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations," Costa writes. “Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load."

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Andrew E. Freedman
Andrew E. Freedman

Andrew E. Freedman is a senior editor at Tom's Hardware focusing on laptops, desktops and gaming. He also keeps up with the latest news. A lover of all things gaming and tech, his previous work has shown up in Tom's Guide, Laptop Mag, Kotaku, PCMag and Complex, among others. Follow him on Threads @FreedmanAE and BlueSky @andrewfreedman.net. You can send him tips on Signal: andrewfreedman.01

14 Comments Comment from the forums
  • LiarsICantUseAnyNameIWish
    Nobody should expect Microsoft to be renewing certificates for their own Surface products if they require a firmware update. Microsoft have "ended support" for most of their Surface products, and even the really expensive Surface Books too, meaning Surface products with hardware still supported by the manufacturers like Nvidia etc can never be updated to remain secure. There are so many vulnerabilities in older Surface models with OEM supported hardware because Microsoft refuse to let the manufacturers to apply updates on them. Never ever buy a Surface product, you'll quickly end up with computer that can't stop remote code executions or has glitchy drivers. You will not able to install updated drivers yourself for some hardware, like Nvidia or Intel etc, so don't expect new Secure Boot certificates neither.
    Reply
  • JRStern
    I have no idea what this means. Does it mean my Win10 system will no longer boot?
    Reply
  • ravewulf
    I intentionally turned Secure Boot off when I built this system. Also disabled the TPM and avoided BitLocker like the plague. Living dangerously and having no issues :P (well, unrelated issues but whatever)
    Reply
  • USAFRet
    JRStern said:
    I have no idea what this means. Does it mean my Win10 system will no longer boot?
    No, it will boot just fine.

    https://support.microsoft.com/en-us/topic/when-secure-boot-certificates-expire-on-windows-devices-c83b6afd-a2b6-43c6-938e-57046c80c1c2
    Reply
  • bigdragon
    JRStern said:
    I have no idea what this means. Does it mean my Win10 system will no longer boot?
    No, your system will still boot normally. These changes to Secure Boot have 2 significant effects:
    If you have a newer device, then you probably only have the 2023 certificates now. The 2023 certificates will continue to be supported for at least the next decade.
    If you have an older device then you'll have both the expiring 2011 certs and the new 2023 certs. Your unsupported firmware and software will still work with the 2011 certs while supported firmware and software gets signed for use with the 2023 certs.The problem with keeping the 2011 certificates around is that they've accumulated a lot of revocation records during their lifespan. The expiration of these certificates also means the end of support is near. New revocation records may no longer be maintained which could open your boot process up to vulnerabilities (could as in maybe; not a guarantee).
    Reply
  • MadocOwain
    bigdragon said:
    No, your system will still boot normally. These changes to Secure Boot have 2 significant effects:
    If you have a newer device, then you probably only have the 2023 certificates now. The 2023 certificates will continue to be supported for at least the next decade.
    If you have an older device then you'll have both the expiring 2011 certs and the new 2023 certs. Your unsupported firmware and software will still work with the 2011 certs while supported firmware and software gets signed for use with the 2023 certs.The problem with keeping the 2011 certificates around is that they've accumulated a lot of revocation records during their lifespan. The expiration of these certificates also means the end of support is near. New revocation records may no longer be maintained which could open your boot process up to vulnerabilities (could as in maybe; not a guarantee).
    For gamers who play games that require Secure Boot for anti-cheat software, this could also mean they'd be unable to play.
    Reply
  • MoxNix
    "Plug security holes before they happen"

    Sounds like a protection racket
    Reply
  • bigdragon
    MadocOwain said:
    For gamers who play games that require Secure Boot for anti-cheat software, this could also mean they'd be unable to play.
    Nonsense. Secure Boot was never intended to support video game anti-cheat. I have my own custom DB certificates installed in addition to the Microsoft ones (2011 and 2023). The anti-cheat software is only looking to make sure Secure Boot is enabled and that Microsoft's binaries have established a chain of trust. Anti-cheat has never once complained about my custom certs or the binaries I've signed.
    Reply
  • MadocOwain
    bigdragon said:
    Nonsense. Secure Boot was never intended to support video game anti-cheat. I have my own custom DB certificates installed in addition to the Microsoft ones (2011 and 2023). The anti-cheat software is only looking to make sure Secure Boot is enabled and that Microsoft's binaries have established a chain of trust. Anti-cheat has never once complained about my custom certs or the binaries I've signed.
    I applaud your ingenuity, and would ask you to post a link to a blog about your experiences to share with other gamers who may not have implemented this solution. However, none of that invalidates my response.
    Reply
  • Jame5
    "We continue to encourage customers to always use a supported version of Windows for best performance and protection."

    Then stop loading up your supported OS versions with bloatware/spyware/crapware.
    Reply