Microsoft is rolling out new Secure Boot certificates with its monthly Windows updates to replace the original certificates from 2011, which will expire in late June 2026. Secure Boot helps prevent malicious software from loading during system startup by ensuring only trusted bootloaders can run on devices with UEFI firmware. This refresh was first announced in January and follows a previous alert to IT admins about the need to update security certificates to maintain system integrity. The new certificates will be automatically installed for users who allow Microsoft to manage their Windows updates, impacting both home users and organizations. Many PCs produced since 2024 and most from the previous year already come with updated certificates. However, some devices may still need separate firmware updates from manufacturers before they can use the new certificates. If devices don’t receive the updates by June 2026, they will continue functioning but will enter a "degraded security state" with reduced boot-level protections. Microsoft is also encouraging users to upgrade to Windows 11, which now runs on over a billion devices. Unsupported versions like Windows 10 will not receive the new certificates, limiting security protections for those systems. IT admins can manage the certificate deployment through various tools to ensure continued protection for their endpoints.