Overview
- The 15‑year‑old Secure Boot certificates will begin rotating in June 2026 through a phased, data‑driven deployment delivered via Windows Update.
- Most devices with automatic updates will get the new certificates automatically, while a fraction must first apply OEM firmware updates to accept them.
- Windows 10 or older systems receive the refresh only if enrolled in Extended Security Updates, leaving non‑ESU machines unsupported for this change.
- Microsoft says many PCs built in 2024 and almost all devices shipped in 2025 already include the refreshed certificates and require no action.
- Devices that miss the update will keep working but may forgo new boot‑level protections over time, creating growing exposure and potential compatibility issues.