Microsoft's Original Windows Secure Boot Certificate Is Expiring

ENDPOINT SECURITY CYBERSECURITY OPERATIONS CYBER RISK NEWS News, news analysis, and commentary on the latest trends in cybersecurity technology. Microsoft's Original Windows Secure Boot Certificate Is Expiring The Secure Boot refresh is one of the largest coordinated security maintenance efforts across the Windows ecosystem, Microsoft said. Update those PCs soon. Jeffrey Schwartz,Contributing Writer April 16, 2026 4 Min Read SOURCE: WACHIWIT VIA ALAMY STOCK PHOTO The original Unified Extensible Firmware Interface (UEFI) Secure Boot certificates for Windows will start expiring in late June. Microsoft urged IT and security leaders to apply updated certificates to all Windows PCs made before 2024 to ensure they continue receiving security updates. Microsoft added Secure Boot to Windows nearly 15 years ago as a feature of the Unified Extensible Firmware Interface (UEFI), the software that starts a PC before Windows launches. Secure Boot checks that only properly signed and approved firmware, such as operating system loaders, device drivers, and boot servers, is loaded at startup. Because it acts as the hardware-based root of trust for the computer, Microsoft refers to it as the Windows operating system's "foundational trust anchor." To further guard against UEFI Bootkits, a type of highly privileged malware such as BlackLotus, FinSpy and MoonBounce, Secure Boot loads before the operating system bootloader. This process prevents malicious software from loading at startup, before the operating system starts. Related:Two-Factor Authentication Breaks Free from the Desktop "It verifies the cryptographic signatures of boot components against a database of authorized keys, blocking unauthorized or tampered software to protect system integrity from the earliest stages of boot," wrote Richard Hicks, president of Richard M. Hicks Consulting, based in Rancho Santa Margarita, Calif. Additionally, all PCs designed for Windows 10 and Windows 11 include Secure Boot support. These devices originally shipped with the 2011 Microsoft Secure Boot certificates, while newer ones manufactured in the last two years have the updated 2023 certificates. Older systems configured for automatic patching — typically those that are personally owned or used by small businesses — are most likely using the updated 2023 certificates. In enterprise environments, however, Windows updates are usually not automated. Instead, they are applied in a staged manner to maintain system and application stability. While the new Secure Boot 2023 update does not introduce major feature changes, Microsoft says the new certificates improve the root of trust and allocates tasks more efficiently. The new certificates also use cryptographic tools to sign software and last longer, which Microsoft says provides improved certificate authority (CA) segmentation. This was designed to let Microsoft and PC manufacturers continue securely updating and monitoring the boot process. Nuno Costa, a program manager on Microsoft's Windows service delivery team, recently described the Secure Boot refresh as one of the largest coordinated security maintenance efforts across the Windows ecosystem. "The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup," Costa wrote in a blog post. Related:CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry Missing the Deadline To ensure systems remain protected, Microsoft recommends prioritizing the update of Secure Boot certificates before their June 24 expiration. While PCs will continue to function even with the original certificates, failing to update means missing critical security enhancements that Microsoft will no longer provide. Hicks says organizations should act now to update Secure Boot certificates on all endpoints. "If the Microsoft UEFI Secure Boot certificate expires, endpoints are vulnerable to potential future threats, as updates to the UEFI databases (DB and DBX) will fail," he warns.  To ease this transition, Microsoft this month began releasing a new indicator in the Windows Security app to help monitor device security. This indicator displays the status of a PC's Secure Boot certificate. In Windows, users with administrator access can see if the operating system has the updated certificate under Device Security > Secure Boot. Microsoft will also add a feature next month to provide notifications and directions. Related:Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense Hicks says that will be helpful, especially to consumers and small business users. "There's been a lot of confusion to this point about which systems are up to date, and which are not," he says. “The verification checks involved looking at registry keys or using tools like my Get-UEFICertificate PowerShell script to validate Secure Boot certificate updates. Having a clear, simple visual cue in the UI eliminates any ambiguity about the update status.” It is also important to note that while mainstream support for Windows 10 ended last fall, Windows 10 devices in Microsoft’s Extended Security Update (ESU) program—a paid service that provides security updates for unsupported versions—will still get the new Secure Boot certificates. These certificates help ensure that a computer boots only trusted software. However, Windows 10 PCs not in the ESU program won’t automatically get the certificates. As the older 2011 certs expire, these PCs will gradually lose the ability to use Secure Boot. Microsoft urges CISOs and administrators to immediately consult its playbook for preparing for the Secure Boot 2011 certificate expiration, conduct a thorough inventory, review deployment steps, and confirm OEM firmware prerequisites. Ask questions and take steps now to ensure ongoing security. About the Author Jeffrey Schwartz Contributing Writer Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026 The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like ENDPOINT SECURITY Is the Browser Becoming the New Endpoint? by Arielle Waldman SEP 09, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Latest Articles in DR Technology ENDPOINT SECURITY Two-Factor Authentication Breaks Free from the Desktop APR 16, 2026 APPLICATION SECURITY OWASP GenAI Security Project Gets Update, New Tools Matrix APR 6, 2026 APPLICATION SECURITY Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain APR 3, 2026 ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry APR 3, 2026 Read More DR Technology Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS Loading...