The digital signature certificates used for Secure Boot in Windows 11 are deemed critical system components. Should these certificates expire, they may disrupt the normal secure boot process. Notably, the certificate issued by Microsoft in 2011 for Windows 8—still in use today—is set to expire in June and October of 2026.
Secure Boot is a pivotal security mechanism designed to ensure that a PC launches only verified firmware and trusted bootloaders. In the pre-Secure Boot era, rootkits often infiltrated bootloaders. While such threats still exist, signature verification mechanisms have rendered the exploitation of rootkits significantly more difficult.
The expiring Secure Boot certificates affect a broad range of systems, including Windows 10, the Windows 10 LTSB/LTSC series, Windows 11, the Windows 11 LTSC series, and Windows Server versions from 2012 to 2025. In essence, every currently supported system will be impacted by the expiration.
However, for the vast majority of home users and enterprises, this issue poses little concern. Microsoft intends to embed updated signature certificates in cumulative updates over the coming months. As long as systems receive these updates, the certificates will be seamlessly refreshed to the latest version.
Primarily, those that are isolated from the internet and do not receive regular updates. Certain institutional or enterprise environments mandate that devices remain disconnected from public networks, operating solely within internal infrastructures. In such cases, Secure Boot certificates may not be updated in time, potentially causing boot failures once they expire—unless Secure Boot is disabled in the BIOS.
To mitigate this risk, IT administrators are advised to consider deploying updates and the new certificates manually. Disabling Secure Boot due to outdated certificates is counterproductive, as the mechanism serves a vital role in protecting systems from malware during the boot process.
Users running dual-boot or multi-boot configurations that include macOS or Linux on a PC are also subject to this issue. Microsoft plans to assist Linux users by updating the relevant certificates via Windows Update. However, it will not provide the same support for macOS—this responsibility falls to Apple.
