Attention to those of you still on Windows 10 or with friends/family with Win10 PCs.
Windows Secure Boot certificates expire in 2026; Windows 10 users impacted
https://www.guru3d.com/story/windows-secure-boot-certificates-expire-in-2026-windows-10-users-impacted/
Microsoft is in the middle of a Secure Boot certificate transition that many users will not notice until it becomes a problem. Several long-standing certificates used by Windows devices are approaching end-of-life in 2026, and Microsoft’s guidance is clear: systems need to receive newer certificates before the older trust anchors expire, or Secure Boot trust can drift into an incompatible state. The certificates in focus are the 2011-era items that have been part of the Windows Secure Boot ecosystem for years, including Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, and Microsoft Windows Production PCA 2011. Their validity period is coming to an end, with expirations beginning in June 2026 and continuing later in the year. Microsoft has already issued newer certificates (the 2023-era replacements) to preserve continuity and keep the Secure Boot trust chain aligned with how Windows and third-party vendors will sign components going forward.
Why does this matter to normal users? Because Secure Boot is not just a checkbox in the firmware menu. It is the mechanism that determines whether boot components are trusted during startup. If a device does not have the updated certificate set loaded before the older certificates expire, the system may stop trusting newly signed boot components and other signing artifacts. Over time, that can turn into real breakage: reduced Secure Boot assurance, friction around future updates, and compatibility issues with drivers or software signed under the newer chain after the cutoff period.
(...)
The Windows 10 angle is the one to watch. On Windows 11, the transition is expected to proceed through normal cumulative servicing, assuming the machine stays supported and up to date. Windows 10 is less straightforward because ongoing servicing depends on channel and eligibility after end of support. If a Windows 10 device is not on LTSC and is not enrolled in the Extended Security Updates program, it may not receive the certificate transition automatically. That is the critical planning detail: if you intend to keep Windows 10 running into 2026, you need to confirm how that machine is serviced and whether it will actually receive the Secure Boot certificate updates in time. The actionable takeaway is basic but important: keep supported systems patched, verify the certificate transition for devices that will remain in service beyond mid-2026, and do not assume Windows 10 machines will be covered unless they are on a supported servicing path. The first expiration milestone is June 2026, and the closer you get without the updated trust chain, the higher the risk of Secure Boot compatibility issues with newly signed components.
The Guru3D article has a link to the 2026-01 cumulative update for Win10 to download it if necessary.
PCGamer also has an article about this matter, but from the angle of anti-cheat causing problems if your certificates aren't up to date (link here). It's worth checking it out because it shows a couple of ways to check if you have those new certificates installed or not.
Please excuse my bad English.
Former gaming PC: i5-4670k@stock (for now), 16Gb RAM 1600 MHz and a GTX 1070
Current gaming PC: R5-7600, 32GB RAM 6000MT/s (CL30) and a RX 9060XT 16GB
Steam / Live / NNID : jonxiquet Add me if you want, but I'm a single player gamer.
