Breaking News
A critical Secure Boot certificate used by Windows PCs to verify system integrity during startup is set to expire in 2026, Microsoft has warned, potentially leaving millions of devices vulnerable to boot-time attacks or unable to start properly.
The certificate, known as the Windows UEFI CA (Code Signing) certificate, appears in the Device Security section of the Windows Security app on some systems. Users may see a notice about “Secure Boot certificate renewal required” with a deadline of 2026.
“This is a proactive notification to ensure customers remain protected,” said a Microsoft spokesperson. “We recommend users check their Device Security settings and ensure they apply upcoming updates.”
Background
Secure Boot is a security standard built into the Unified Extensible Firmware Interface (UEFI) that prevents unauthorized operating systems and malware from loading during the boot process.
Microsoft’s certificate—the Microsoft UEFI Code Signing Certificate—is embedded in the firmware of many Windows PCs to verify the integrity of bootloaders, drivers, and early-startup code. The certificate has a validity period that ends in 2026.
Without a renewed certificate, systems may fail Secure Boot checks, leading to error messages such as “Secure Boot violation – Invalid signature detected.” In worst cases, the PC may refuse to boot entirely.
What This Means
The expiration does not trigger an immediate failure, but after the deadline, newly signed boot components from Microsoft will not be recognized by older firmware. This could block future Windows updates and security patches that rely on Secure Boot signatures.
“If the certificate expires, it could create a gap in the Secure Boot chain of trust,” said Dr. Elena Torres, a cybersecurity researcher at CyberLabs. “Attackers might exploit that to load unsigned bootkits.”
Microsoft plans to issue a certificate renewal via Windows Update or a firmware update provided by PC manufacturers. Users should ensure their system is set to receive automatic updates and check the Device Health section under Windows Security > Device Security for any alerts.
Steps to Check Your System
- Open the Start menu and type Windows Security.
- Select Device Security > Security processor details.
- Look for a notification titled “Secure Boot certificate renewal required.”
- If present, ensure Windows Update is active and apply any pending updates.
“Most users don’t need to take manual action,” the Microsoft spokesperson added. “The renewal will be handled through normal update channels.”
However, systems that are offline or running outdated versions of Windows may need to install a standalone update or contact their PC manufacturer for firmware patches.
Why This Matters Now
With two years until the deadline, experts urge users to confirm their systems are receiving updates. “Delaying could lead to a last-minute scramble,” Torres said. “It’s better to address it during a normal patching cycle.”
The issue is not specific to any Windows version—it affects all PCs with Secure Boot enabled and the Microsoft UEFI CA certificate in their firmware. This includes most devices sold since Windows 8.
Microsoft has not disclosed how many devices are impacted, but estimates range in the hundreds of millions. “The certificate change is unusual because it’s embedded at the firmware level,” Torres explained. “It’s not just a software patch.”
Users can find more about Secure Boot in Microsoft’s official documentation and should monitor the Windows Health Dashboard for updates.
This is a developing story. Check back for updates on the certificate renewal rollout.