Microsoft to Roll Out New Secure Boot Certificates to Keep Old Windows PCs Secure

Laurent Giret
Feb 10, 2026
6

Windows 11 PC

Microsoft announced today that it’s preparing to roll out new Secure Boot certificates via Windows Update to keep old PCs secure. The first Secure Boot certificates, which are stored in a PC’s firmware, will start expiring in late June 2026, and these devices will need refreshed certificates to remain protected from boot‑level vulnerabilities.

For those unfamiliar, Microsoft introduced its Secure Boot technology back in 2011, and it’s designed to block untrusted code from running before Windows loads. Secure Boot operates at the firmware level and has been a foundational part of the Windows 11 security model. However, it relies on security certificates that need to be refreshed to guarantee the best protection against boot‑level attacks, which are becoming increasingly sophisticated.

“Our ecosystem partners play a critical role in the transition to the new Secure Boot certificates. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates and require no action from customers,” explained Nuno Costa, Partner Director, Windows Servicing and Delivery.

On PCs that require new Secure Boot certificates, the new bits should be automatically installed via Windows Update. However, Microsoft noted that a fraction of devices may require a separate firmware update issued by the PC manufacturer before the new Secure Boot certificates can be installed via Windows Update.

If old PCs that won’t receive the new certificates will continue to work, they will become exposed to new boot-level security threats. “Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot–dependent software may fail to load.”

To receive new Secure Boot certificates as expected, Microsoft recommends that Windows users check their OEM support pages to see if they have the latest firmware updates. Devices running unsupported versions of Windows 10 and Windows 11 also won’t receive the new certificates. However, Windows 10 users enrolled in the Extended Security Updates program will receive them.

Tagged with

Windows 11

About author

Laurent Giret

Laurent is a Senior News Editor at Thurrott.com, helping Paul Thurrott with daily news coverage. He's been writing about the technology industry for 10 years, mainly focusing on Big Tech companies. He also was the Editorial Manager of the Petri IT Knowledgebase from 2022 to 2023. You can follow Laurent on LinkedIn, X (Twitter), Threads, Bluesky, Facebook, and Mastodon.

View Articles

Currently on Forums
Visit the forums
- Mac – Paint and general whining
  Posted by basic sandbox
  
  3
  comments
- Taken
  Posted by Paul Thurrott
  
  7
  comments
- is windows trying to kill themselves
  Posted by thea2_
  
  8
  comments
- [CLOSED] Ask Paul for this Friday, May 8
  Posted by Paul Thurrott
  
  4
  comments
Podcasts
Podcast Hub
- First Ring Daily 1962: Set Your Phasers
  
  Aired on May 11, 2026 by Brad Sams with 0 Comments
- First Ring Daily 1961: Avocado Prices
  
  Aired on May 08, 2026 by Brad Sams with 2 Comments
- Windows Weekly 982: Don’t Lick the Mantra Rays
  
  Aired on May 07, 2026 by Paul Thurrott with 0 Comments
- First Ring Daily 1960: Drilling the Wall
  
  Aired on May 07, 2026 by Brad Sams with 0 Comments
Join the crowd where the love of tech is real - become a Thurrott Premium Member today!

Explore Premium Benefits

Tagged with

Share post