Windows Secure Boot Certificates Expire in June 2026: What Home Users and Small Businesses Need to Do Now

What Is Secure Boot (Quick Version)

Every time your PC starts up, a system called Secure Boot checks that the software loading before Windows hasn’t been tampered with. It works like a digital ID badge: the boot software presents a certificate, and the firmware says, “I recognize that badge. You’re allowed in.” Those ID badges were issued by Microsoft in 2011 with a 15-year lifespan. Time’s up.

Microsoft has new replacement certificates (the “2023 family”) ready to go and has started distributing them through Windows Update. But not every computer will get them automatically, and some won’t get them at all.

What Happens If Your PC Misses the Update

Your computer will not stop working. After the certificates expire, it will still boot normally and run Windows. Standard Windows updates will continue to install.

But here’s the catch: Microsoft calls it a “degraded security state.” In plain language, that means your PC can no longer accept new patches for the boot process itself. If a vulnerability is discovered in the boot chain after June 2026, there’s no way to patch it on your machine.

This isn’t hypothetical. A piece of malware called BlackLotus has been active since late 2022. It can bypass Secure Boot on fully patched systems, disable Windows Defender, disable BitLocker, and hide from the operating system entirely. The NSA took it seriously enough to publish a dedicated mitigation guide. Devices that miss the certificate update will have no path to block future threats like this one.

For Home Users: What This Means for Your PC

If you’re running Windows 11 and your updates are turned on, you’re likely covered. Microsoft began rolling the new certificates out through Windows Update in early 2026, using a phased approach. Most Windows 11 PCs will be handled without any manual steps.

If you’re running Windows 10, the picture is different. Microsoft ended mainstream support for Windows 10 in October 2025. The only way to keep getting updates, including these Secure Boot certificates, is to pay for Microsoft’s Extended Security Updates (ESU) program. If you’re not enrolled, your PC will not get the new certificates through Windows Update. Full stop.

A lot of people are still running Windows 10. If that includes you, this deadline is one more reason to plan your next move, whether that means upgrading to Windows 11 (if your hardware supports it) or budgeting for a new machine.

There’s one more layer to this. Even if Windows Update delivers the new certificates to your PC, some computers also need a separate firmware (BIOS) update from the manufacturer. Dell, HP, Lenovo, and ASUS have all published firmware updates for recent hardware, but each company has a cutoff. Dell is updating systems with an end-of-service date after December 31, 2025. ASUS has confirmed that older motherboards, including the Z390 series and earlier (Intel 8th-gen), will not be updated. If your PC is more than five or six years old, check your manufacturer’s support page to see whether a BIOS update exists.

Action steps for home users:

1. Check which version of Windows you’re running. Open Settings, then System, then About. If it says Windows 10 and you haven’t purchased ESU, you will not get this update.
2. Run Windows Update right now and install everything available. Don’t pause updates between now and June.
3. Visit your PC manufacturer’s support website and look for a BIOS or firmware update related to Secure Boot 2023 certificates.
4. If you’re on Windows 10, start planning. Upgrade to Windows 11 if your hardware supports it. If it doesn’t, start budgeting for a replacement.
5. Before applying any firmware update, back up your BitLocker recovery key. Some BIOS updates trigger a BitLocker recovery prompt, and you’ll need that key to get back in.

If any of that feels like a lot, give us a call. We offer a free PC health check and can tell you exactly where your machine stands.

For Small Businesses: Why This Needs Attention Now

For a business running 5, 10, or 50 PCs, the challenge isn’t patching one machine. It’s knowing the status of every device on the network, figuring out which ones can be updated, and identifying the ones that can’t.

Microsoft’s rollout for consumer PCs is largely automatic. But for business environments, the situation is different. Windows Server requires manual action from an IT administrator to deploy the new certificates. PCs managed through group policy or endpoint management may need explicit opt-in. And any machine running Windows 10 without ESU is completely locked out of the update pipeline.

The practical risk: come June 2026, you could have a mix of updated and unupdated machines on the same network, with no straightforward way to tell which is which. The unupdated ones become the weak point, unable to accept future boot-level patches.

There are compliance implications too. If your business is subject to HIPAA, PCI-DSS, or industry-specific security requirements, running expired Secure Boot certificates after a widely publicized deadline could raise flags during an audit, or worse, during a breach investigation. The HHS Office for Civil Rights flagged firmware patching as a requirement under the HIPAA Security Rule in its January 2026 Cybersecurity Newsletter.

Action steps for small businesses:

1. Inventory every PC and server on your network. Note the operating system version, BIOS/firmware version, and whether Secure Boot is enabled.
2. Identify which machines are running Windows 10 without ESU. These need either an upgrade or a replacement timeline, and they need one before June.
3. Check with each hardware manufacturer for firmware updates. Machines past their support lifecycle may not have one available, and that’s a capital planning conversation.
4. For Windows Server, begin the manual certificate deployment process now. Microsoft published a detailed playbook with step-by-step instructions.
5. Pilot on a small group of machines first. Some firmware updates trigger BitLocker recovery prompts, and you don’t want to discover that across your entire office at 8 AM on a Monday.
6. Back up all BitLocker recovery keys across the organization before rolling out firmware updates.

If you don’t have dedicated IT staff to handle this, that’s exactly what managed IT services are designed to do. Patching dozens of machines against a hard deadline, with testing and rollback plans in place, is the kind of work that shouldn’t fall to someone who’s also trying to run the business.

The Bottom Line

This isn’t a crisis today, but it has a firm expiration date. The first certificates expire around June 24 to 27, 2026. Between now and then, there’s time to check your status, apply updates, and make decisions about aging hardware. Waiting until May makes all of that harder.

If you’re not sure where your PC stands, or if you’re a business owner wondering how many of your machines are affected, we’re happy to help. Home users can schedule a free PC health check. Business owners can request a free network assessment. No pressure, no pitch. Just a clear picture of whether your machines are ready for this deadline.