Microsoft has confirmed that the original Secure Boot certificates, issued in 2011, will begin expiring in June 2026. This means Windows PCs will need a critical update to install fresh trust chains, requiring a single additional restart to maintain UEFI security integrity. The update will be delivered via Windows Update for both Windows 10 and Windows 11 systems, marking the first major renewal of its kind since Secure Boot's introduction.

The update introduces new Secure Boot signature certificates and begins phasing out the old ones, which were originally set with a 15-year lifespan. Without this update, systems could eventually fail to boot future Windows releases or updates that are signed exclusively with the new certificates. The process is designed to be seamless, with no user intervention required beyond allowing the update to install.

Understanding Secure Boot and Its Certificate Infrastructure

Secure Boot is a fundamental security mechanism built into UEFI firmware that verifies the digital signature of bootloaders and drivers before they execute. It prevents unauthorized or malicious code from launching during startup, effectively blocking rootkits and bootkits. First mandated on all Windows 8-certified PCs in 2012, Secure Boot relies on a hierarchy of keys and certificates stored in the firmware.

The root of trust is the Microsoft Windows Production PCA (Public Certification Authority) certificate, which in turn signs the Secure Boot KEK (Key Exchange Key) and db (signature database) entries. These certificates have a finite validity period. When they expire, firmware must be updated to recognize new certificates in order to maintain trust in properly signed components.

The Certificate Expiration: What’s Happening in June 2026

The certificates in question are the original Microsoft Windows Production PCA 2011 certificates, which were provisioned in most OEM firmware when Secure Boot was first introduced. Their validity period ends on June 13, 2026. After that date, UEFI firmware that has not been updated may reject bootloaders and drivers signed with the new certificate chain, potentially rendering a system unbootable or preventing installation of future Windows versions.

This is not a sudden crisis—Microsoft has been aware of the timeline for over a decade and has designed the transition to be gradual. Beginning well ahead of the expiration date, Windows Update will deliver updates that install the renewed certificates into the UEFI firmware’s Secure Boot signature database. These updates will simultaneously add the new certificates and, over time, may remove the expiring ones once all essential software has been re-signed.

Microsoft’s Response: A Phased Update Approach

Microsoft’s strategy involves two main components: a Windows Update package that modifies the Secure Boot variables in firmware, and a coordinated re-signing of critical boot files with the new certificate. The update will initially be offered as an optional install, likely moving to a recommended or automatic one later. Enterprise IT administrators will have the ability to control rollout through standard management tools.

Key aspects of the update include:
- Adding the new Microsoft Windows Production PCA 2021 certificate to the db.
- Adding the corresponding KEK to the firmware.
- Retaining the expiring certificates for a transition period to maintain compatibility with older software that has not been re-signed.
- Eventually revoking the old certificates after a sufficient trust period.

The One Extra Restart Explained

The “one extra restart” mentioned in the title is a necessary step because updating the firmware’s Secure Boot database is not a simple file write. The UEFI firmware must be instructed to apply the changes, which requires a system restart to finalize. During the update, Windows will schedule a firmware update routine that executes on reboot. This reboot will flash the new certificate settings into non-volatile memory. The system will then boot normally, but now with the updated trust stores.

Users will see this as an extra reboot cycle during the update installation—similar to a BIOS update. The process is automated and requires no configuration. Once completed, the PC will be ready for the post-2026 Secure Boot ecosystem.

Impact on Windows 10 and Windows 11

Both Windows 10 and Windows 11 are affected, as both operating systems rely on the same underlying UEFI Secure Boot infrastructure. Microsoft has committed to supporting Windows 10 until October 14, 2025, but many systems will still be running Windows 10 when the certificates expire in June 2026. To ensure these systems continue to operate, Microsoft must backport the necessary update to Windows 10 as well.

For Windows 11, the update is straightforward and will be delivered through the normal servicing pipeline. For Windows 10, Microsoft will likely release a standalone update closer to the expiration date, or include it in a monthly cumulative update. The exact KB numbers and release cadence have not been disclosed, but the company’s documentation assures that all supported versions will receive the fix.

What Users Need to Do

For most home users and businesses, the answer is: nothing beyond ensuring that Windows Update is enabled and applied regularly. The update will download and install automatically once Microsoft makes it available. Users should not refuse or delay the restart that accompanies this specific update, as it is critical for future boot security.

Advanced users who have manually altered their Secure Boot configuration—such as those running custom kernels, self-signed drivers, or Linux dual-boot setups—should be aware that the update might reset or override some custom keys. It is advisable to back up existing Secure Boot variables before the update, although Microsoft’s tooling typically preserves user-added MokList entries for dual-boot systems.

Enterprise administrators should monitor deployment guides from Microsoft and hardware vendors. Firmware updates from OEMs may also be released in parallel to support the certificate transition, especially for older hardware where the Windows Update mechanism cannot update all necessary firmware variables.

Potential Issues for Unupdated Systems

Systems that do not receive the certificate update before June 2026 will eventually face a credibility gap. At first, they will continue to boot because Windows bootloaders and drivers are dual-signed with both old and new certificates during a transitional period. However, as time passes and software transitions to new-only signatures, those systems may fail to boot newer Windows builds or even receive certain monthly updates. In the worst case, a future version could refuse to install entirely if the Secure Boot check fails.

Isolated or air-gapped systems that never connect to Windows Update are particularly at risk. Recovering such a system may require manually flashing updated firmware from the OEM or injecting new certificates using UEFI tools.

A Look Back: Secure Boot’s Decade of Service

Secure Boot’s decade of service has been largely uneventful from a certificate management perspective—which is a testament to its design. The original 2011 certificates were issued with a deliberately long lifespan to minimize disruption. Now, with the foundation set to renew, the process serves as a reminder that all digital trust infrastructure requires maintenance.

The transition also highlights Microsoft’s commitment to maintaining backward compatibility while moving forward with stronger security. By overlaying new certificates alongside the old, the company ensures that no valid software is suddenly blocked. This is the same philosophy that has guided Windows’ approach to driver signing and kernel security.

Conclusion: A Slight Inconvenience for Ongoing Security

The Secure Boot certificate renewal is a necessary housekeeping task that will keep billions of Windows PCs secure well into the next decade. One additional reboot is a small price to pay for the assurance that the boot chain remains tamper-proof. As June 2026 approaches, users can expect more communication from Microsoft and OEM partners. For now, the most important action is to keep Windows Update enabled and treat the coming update as a routine but important security patch.

Beyond this expiration, Microsoft is already planning for the lifecycle of the newer certificates. The new PCA 2021 certificate has an even longer validity, pushing the next major renewal well past 2035. With firmware attestation and evolving hardware security standards, Secure Boot will continue to be a cornerstone of PC security.