The nearly expired Secure Boot certificates on Windows 11 24H2 and 25H2 will be replaced with an automatic update.
Microsoft has started automatically replacing expiring Secure Boot certificates on Windows 11 24H2 and 25H2 systems. The measure is intended to prevent devices from losing their secure boot functionality after the expiration date. The current certificates expire in June.
Certificates expire in 2026
Secure Boot ensures that only trusted software can be loaded when starting up a PC with UEFI (Unified Extensible Firmware Interface) firmware. This is done using digital certificates stored in the firmware. Microsoft warned IT administrators back in November that the current certificates will expire in June 2026. Failure to replace them in time could have consequences for both the security and availability of systems.
Translated with DeepL.com (free version) Dat gebeurt via digitale certificaten die in de firmware zijn opgeslagen. Microsoft waarschuwde IT-beheerders al in november dat de huidige certificaten vanaf juni 2026 verlopen. Zonder tijdige vervanging kan dat gevolgen hebben voor zowel de beveiliging als de beschikbaarheid van systemen.
Microsoft writes in a blog post that it is a normal procedure to renew the certificates over time. The last time this happened was fifteen years ago. “Retiring old certificates and introducing new ones is a standard industry practice that helps prevent outdated credentials from becoming a weak point and ensures that platforms continue to meet modern security expectations.”
According to Microsoft, recent Windows updates now include targeted telemetry to identify devices that are eligible for automatic certificate replacement. Only systems that show sufficient successful update signals will receive the new Secure Boot certificates. Microsoft aims to limit the risk of disruptions and allow the rollout to proceed in a controlled manner.
Most Windows users won’t need to do anything: Secure Boot will be automatically renewed with a Windows update. For a ‘fraction of devices,’ a firmware update is required first, because Secure Boot is embedded in the firmware. Most new PCs that appeared in 2024 and 2025 are already shipped with up-to-date certificates.
Risks of postponement
Companies that do not update the certificates in time risk losing Secure Boot protection and updates for pre-boot components. This can lead to new bootloaders no longer being trusted, with direct consequences for the security of endpoints.
Many devices are automatically updated via Windows Update, but companies can also manually roll out the certificates via registry settings, group policy, or Windows Configuration System. Microsoft recommends first creating an inventory of devices, checking the Secure Boot status, and applying any firmware updates from hardware vendors before installing the new certificates.
Microsoft only renews Secure Boot on Windows versions that still support it. This is particularly important for Windows 10 users if they haven’t enrolled in the ESU program. Your device will continue to function without Secure Boot, but with additional security risks.
read also
IT Professional Remains Loyal to Windows 10 (but Prefers not to Pay for it)
This article originally appeared on January 14, 2026 and received an update with the latest information.