Microsoft has published KB5079373, which alerts users to an upcoming expiration of Windows Secure Boot certificates issued in 2011, slated for June 2026. This expiration won't cause immediate problems with existing software, but it means you'll stop getting future boot-level security updates unless you install new 2023 certificates. Most modern PCs will receive these updates automatically through Windows Update, but some devices may need manual firmware updates from the manufacturer's support site. If you use BitLocker or have enterprise policies that require up-to-date boot-time attestation, it's recommended to plan a firmware refresh before June 2026.

Secure Boot certificate expiration fix for Windows 10/11

If the Microsoft Secure Boot certificates that shipped with your PC back in 2011 hit their June 2026 expiry date, you might wonder whether anything actually breaks. The short answer: most things keep running, but you lose future boot‑level security updates unless the new 2023 certificates get installed. This guide shows how to verify the update and what to do if your firmware refuses to cooperate.

What expires and why it matters

When a Secure Boot certificate reaches its “not after” date Windows stops trusting it for any new signatures. Existing boot components keep working, but Microsoft can no longer push fresh revocation lists or updated Boot Manager code that rely on the expired root. In practice this means BitLocker hardening patches, early‑boot vulnerability mitigations, and third‑party bootloaders that depend on Microsoft’s trust chain stop receiving updates.

Firmware/BIOS update path

Most modern PCs receive the new certificates automatically via a BIOS or UEFI firmware flash that Microsoft pushes through Windows Update. If you’re on a brand‑new laptop, chances are the vendor already shipped a version 2.x of the firmware that contains the updated Secure Boot keys.

If your device never showed a “Firmware update available” notification, check the OEM’s support site. Look for a release dated after May 2026 with notes mentioning “Secure Boot certificate refresh” or similar wording. Download and flash it following the manufacturer’s instructions – usually a simple reboot into the firmware update utility.

When should you actually worry?

If you never use BitLocker, Secure Boot‑only bootloaders (like a custom Linux shim), or any enterprise policy that mandates up‑to‑date boot‑time attestation, the expired certificates are mostly noise. Normal app usage, Windows Update, and networking remain unaffected.

However, if your organization enforces “Secure Boot + TPM” for credential protection, or you run a dual‑boot setup that relies on Microsoft’s key database to validate third‑party option ROMs, the loss of future revocation updates can open a tiny but real attack surface. In those environments plan a firmware refresh well before June 2026.

When Secure Boot certificates expire on Windows devices

Secure Boot helps ensure that your device starts using trusted software. The Microsoft Secure Boot certificates originally issued in 2011 begin expiring in June 2026. To maintain protection against new boot‑level threats, Microsoft is updating devices with a new set of 2023 certificates. Most devices will receive these updates automatically, but some systems may require additional firmware updates.

When Secure Boot certificates expire on Windows devices - Microsoft Support