Act now to avoid Secure Boot certificate expiry issues in June 2026
David Guest
Solution Architect & Technology Evangelist
Published: 02 April 2026
Secure Boot certificates issued in 2011 begin expiring in June 2026. We outline why that matters, how to check your if your devices are up to date, and the steps needed to close any gaps.
Secure Boot ensures that your device uses trusted software and maintains protection against boot-level threats. The current Secure Boot certificates, originally issued in 2011, are due to expire in June 2026.
With the deadline approaching, now is the time to confirm your devices are receiving the updated certificates and to understand what’s at risk if they don’t.
Why the certificate update matters
To understand the implications and importance, Sateesh Patel, Technical Consultant at Kocho, explains:
“Without the updated certificates, devices will no longer receive new security protections for the early boot process.
“This includes updates to Windows Boot Manager, Secure Boot databases and revocation lists, and mitigations for newly discovered boot-level vulnerabilities. Over time, this leaves devices increasingly exposed to threats such as bootkits and rootkits.”
There are compatibility implications too. Devices running expired certificates may face issues with newer operating systems, firmware updates and third-party boot components that rely on an up-to-date chain of trust.
Without the updated certificates, devices are increasingly exposed to boot-level threats such as bootkits and rootkits.
How to check your certificate status
Before the June 2026 deadline, it’s worth confirming where your devices stand.
There are several ways to assess certificate status:
How to stay protected
For most devices, Microsoft will deploy the updated certificates automatically through Windows monthly updates, but not all devices qualify for automatic rollout. The certificate update involves firmware-level changes and some hardware requires manufacturer patch before it can take effect.
The steps are straightforward:
- Keep Windows Update enabled so your device can receive the updated certificates.
- Apply any required OEM firmware (UEFI/BIOS) updates, some devices need this before the certificate update can take effect.
- Don’t disable Secure Boot, as doing so removes the protections this update is designed to preserve.
- If devices haven’t received the new certificates after Windows Update has run, check with your OEM, particularly for older hardware.
For Azure Virtual Desktop environments, additional guidance applies. Devices using Azure Compute Gallery images with Secure Boot enabled should have the 2023 certificate update applied to the golden image before it is captured, and Trusted Launch must be enabled for the update to take effect at image level.
Support with certification updates
With expiration beginning in June 2026, it’s worth taking the time now to inventory your devices, confirm certificate status and close any gaps before they become a compliance or security issue.
If you’re unsure where your devices stand or need support planning your certificate update ahead of the June 2026 deadline, our team is here to help.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
