The expiration of Microsoft-issued cryptographic certificates on June 24, 2026, will significantly impact the boot security of many Windows PCs. These certificates, essential for validating software during the startup process, have been in use since 2011 and are embedded in the firmware of motherboards. While systems will continue to receive regular updates, they will lose access to crucial future security updates related to Windows startup if not updated timely.
Microsoft is currently implementing replacements via Windows Update, a complex process requiring collaboration between the company, PC manufacturers, and sometimes users. This effort has been described by Microsoft as one of the largest coordinated security maintenance initiatives within the Windows ecosystem.
Secure Boot operates through a hierarchy of certificates stored in the UEFI firmware, which ensures that only trusted software is executed before the operating system initiates. The Platform Key, held by the manufacturer, is the foundational element of this trust chain. Below it, the Key Exchange Key allows Microsoft to manage updates to the Signature Database and the Forbidden Signature Database, which regulate the software that can be run during the boot process.