Refreshing the root of trust: industry collaboration on S…

Microsoft and OEMs are updating Secure Boot certificates expiring June 2026. New certificates are being deployed via Windows Update for supported devices; some systems require firmware updates or OEM steps. Unsupported Windows versions will not receive these certificate updates.

Refreshing root-of-trust Secure Boot certificates are being rolled out across Windows devices. Original 2011 certificates expire in late June 2026, prompting an industry-wide update. This change modernizes boot-level cryptography and prevents aging credentials from weakening platform security.

Main feature/change and impact

Microsoft and OEMs are deploying new Secure Boot certificates via monthly Windows updates and firmware releases. The update replaces certificates that reach end-of-life after 15 years of service. This refresh restores cryptographic strength at firmware boot and enables future boot-level mitigations. Devices that miss the update enter a degraded security state and cannot receive new boot protections.

Practical implications

Most consumer and enterprise systems will get certificates automatically through Microsoft-managed updates. Some in-market devices require an OEM firmware update before Windows can install the new certificates. Unsupported Windows versions do not receive certificates and stay exposed. Administrators should audit device readiness and plan firmware deployment for specialized servers and IoT fleets.

“Security is integral to everything we build at Dell Technologies, and Secure Boot safeguards are critical to maintaining device trust.” – Rick Martinez, Dell Fellow and Vice President, CTO Security, Dell Technologies

For organizations, validate devices using diagnostics and manage any outliers with existing deployment tools. Check OEM support pages for firmware, and monitor Windows Security App messages for update status. If issues arise, escalate via vendor support and Microsoft enterprise channels. The certificate refresh is a foundational maintenance step for long-term boot security. Follow vendor guidance, apply firmware and monthly updates, and document remediation steps for devices that cannot be auto-updated. Staying current ensures continued compatibility with future OS and firmware security enhancements.

Key points from the article:

Secure Boot certificates reach end of lifecycle starting June 2026.

Microsoft distributes new certificates through regular monthly Windows Update.

Some devices require OEM firmware updates before certificates can install.

Unsupported Windows versions will not receive the new certificates.

Windows Security App will report certificate update status to users.

Related Coverage:

• Strengthening Windows trust and security through User Transparency and Consent
• Announcing Windows 11 Insider Preview Build 26220.7755 (Beta Channel)
• Advancing Windows security: Disabling NTLM by default

From the Windows Blog

---