Most cyber-attacks target your software, inbox, or network. But some of the most dangerous threats don’t wait for Windows to load at all.
Instead, they strike in the fraction of a second before your operating system even starts, and that’s exactly the gap Secure Boot is designed to close.
Right now, there’s a deadline SMBs need to know about. The Microsoft Secure Boot certificates first issued in 2011 begin expiring in June 2026. For most businesses, the transition will happen automatically.
But “most” isn’t “all”, and a missed update could leave a door open for attackers. A quick check now is far easier than a breach response later.
What is Secure Boot?
Think of Secure Boot as the bouncer at the door of your PC. Every time your computer starts up, Secure Boot checks the software trying to load and asks one question: is this trusted?
If the answer is yes, the process continues normally. If something suspicious tries to sneak in, Secure Boot blocks it before your operating system even gets a chance to load.
This matters because some of the most sophisticated forms of malware, known as bootkits, are designed to attack your system at exactly this stage. They load before your antivirus, before Windows, before anything you’d normally rely on to catch a threat.
Secure Boot is specifically built to stop them.
What’s Changing and Why?
The certificates that power Secure Boot, essentially the digital proof that software is legitimate and trusted, were originally issued by Microsoft in 2011. Like all certificates, they have an expiry date.
As Microsoft states in its Secure Boot article, starting in June 2026, those 2011 certificates will begin to expire, and the newer 2023 versions need to take their place to keep the chain of trust intact.
This is a routine security update from Microsoft, not a cause for alarm. Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software, and most Windows devices will receive the updated certificates automatically. Many newer devices already have them.
The challenge is that some systems, particularly those with older firmware or complex management setups, may require manual intervention.
What Happens if You Do Nothing?
Your PC won’t stop working overnight. If a device reaches the expiration date without the new certificates, it will still start and operate normally, and standard Windows updates will continue to install.
Devices that don’t receive the updated Secure Boot certificates may not be able to trust newer boot components or cyber security updates, potentially preventing certain security updates from applying.
Over time, that leaves your device increasingly exposed:
- Vulnerability to bootkits: Without up-to-date Secure Boot protections, your devices become easier targets for sophisticated malware that loads before your operating system, making it extremely difficult to detect or remove using conventional tools.
- Windows update failures: Devices that haven’t transitioned will lose the ability to install Secure Boot security updates after June 2026 and may eventually be unable to receive future security updates for components like Windows Boot Manager as Microsoft transitions fully to the new certificate chain.
- Potential boot issues: In some cases, particularly where firmware is significantly out of date, devices may encounter compatibility problems as software and hardware requirements evolve around the updated certificate standard.
In December 2025, the US National Security Agency published guidance highlighting how misconfigured UEFI Secure Boot increases exposure to bootkit and firmware-level threats.
What Should SMBs Do?
The good news is that the action required is straightforward.
- Check your Secure Boot status: Starting in April 2026, the Windows Security app displays additional information about the status of Secure Boot certificate updates. You can find this under Device security > Secure Boot, where a green, yellow, or red badge indicates your current status. A green tick means you’re covered. Yellow or red means further action is needed.
- Keep your BIOS or UEFI firmware updated: The certificate update process works best when your device firmware is current. Manufacturers including ASUS, HP, and Lenovo have already released firmware updates that include the new certificates. Checking for and applying the latest BIOS update for your hardware is the single most effective step you can take.
- Don’t ignore warnings: If you see a yellow or red alert relating to Device Security in your system tray, don’t dismiss it. It’s a signal that your device may need a firmware update or a manual certificate refresh, and leaving it unaddressed means leaving a door open.
For most businesses, the transition will happen automatically, and you may never notice it. But if your devices are older, if your IT updates aren’t fully managed, or if you simply haven’t checked in a while, this is a deadline worth taking seriously.
Let Outbound Group Check for You
Not sure where your devices stand?
Outbound Group can review your Secure Boot status across your business and make sure nothing gets missed before the June 2026 deadline.
Get in touch with the Outbound Group team today to ensure you’re protected before the June 2026 deadline.
