Microsoft has renewed its warning that Secure Boot certificates used across Windows systems must be updated before 2026, following temporary confusion caused by missing information in one of the company’s support documents.
The certificates, originally introduced more than 15 years ago, are scheduled to expire in 2026. To ensure systems remain protected, Microsoft began distributing updated certificates in 2023 via Windows Update, urging users and administrators to install the updates before the deadline.
Certificates Already Included in Recent Updates
Several recent Windows patches already contain the new Secure Boot certificates. Among them are updates for Windows 11, including KB5077181 and KB5075941, as well as KB5075912 for Windows 10 systems.
These updates deliver refreshed Secure Boot keys to replace the original certificates before they expire, preventing security gaps in the system’s startup process.
Documentation Confusion Prompted Clarification
Microsoft recently published a support article explaining how the transition works and what users should expect before the certificates expire. However, a section outlining the consequences of not installing the new certificates was briefly removed from the article’s FAQ.
According to Neowin’s reporting, the missing explanation led to uncertainty among system administrators and users trying to assess the potential impact.
Microsoft later restored the information and reorganized the article so that the clarification appears in the first FAQ entry, making it easier to locate.
The company emphasized that computers without the updated certificates will continue to boot normally and will still receive standard Windows updates.
However, systems running outdated certificates may gradually lose certain protections related to the early boot process. These protections include safeguards tied to:
- Windows Boot Manager
- Secure Boot trust databases
- Revocation lists used to block compromised boot components
- Security mitigations designed to prevent newly discovered boot-level vulnerabilities
Without these protections, devices could become more susceptible to advanced threats such as bootkits, a type of malware that targets the system before the operating system fully loads.
Microsoft also warned that some features relying on Secure Boot verification could be affected, including specific BitLocker security mechanisms and compatibility checks for third-party bootloaders.
Updates Will Install Automatically for Most Users
For most devices, the updated certificates will be delivered automatically through Windows Update before the June 2026 deadline.
In certain situations, hardware manufacturers may also release firmware updates to ensure compatibility with the new Secure Boot infrastructure.
Microsoft recommends that users keep their systems fully updated to avoid missing the transition.
The Secure Boot certificate refresh is part of Microsoft’s ongoing effort to strengthen security across the Windows ecosystem.
The company has also recently updated Microsoft Defender definitions included in Windows installation images, ensuring that newly installed systems begin with current malware protection.
Together, these measures aim to reinforce protection at the earliest stage of the boot process, helping defend Windows systems against increasingly sophisticated threats that attempt to compromise devices before the operating system loads.
