Applies ToWindows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original publish date: June 26, 2025

KB ID: 5062711

Change date

Change description

June 27, 2025

  • Corrected a typo in the "Is this applicable for my Windows device?" section. The typo incorrectly stated "new 2003 certificates." Corrected it to say "new 2023 certificates."

This article has guidance for:

  • Individuals who own personal Windows devices. These PCs are not managed by an IT department from an organization, school, or business.

  • Devices for personal use on Windows 10 or Windows 11, Home, Pro, or Education edition.

Note If you are an enterprise or IT professional managing Windows updates for an organization's devices, please see Windows devices for businesses and organizations with IT-managed updates.

Note In this article, we also refer to Windows devices as Windows systems or PCs. 

What’s happening?

To help keep your Windows device secure, Microsoft is updating the certificates used by Secure Boot—a security feature that helps protect your devices from malware during startup. These certificates, originally issued in 2011, are set to expire starting in June 2026. To stay protected, your operating system (OS) needs to receive a new set of certificates before then. 

Why does this matter? 

Secure Boot helps ensure that your device only runs trusted software when it starts up. If the Secure Boot certificates expire, your device could become vulnerable to security threats. 

That is why Microsoft is rolling out new certificates now, well ahead of the June 2026 expiration date. 

Is this applicable for my Windows device? 

If you use a Windows 10 or Windows 11 device that runs Home, Pro or Education edition, and you get updates automatically from Microsoft (like most people do), then yes—this is applicable for your device. 

The good news is that the new 2023 certificates will be delivered to your device through regular Windows Update channels. For most users, no action is needed. 

When is this happening? 

The new certificate updates will continue gradually through June 2026. Microsoft is starting with Home and Pro edition systems first to ensure a smooth and safe transition. 

Where can I learn more about Secure Boot and the certificate update? 

See the article Secure boot to learn more about its technical details. To stay up to date on the certificate update rollout, check the release notes for Windows updates available on the Windows 11, version 24H2 update history and Windows 10 update history pages. 

What do I need to do? 

In most cases, nothing! Just make sure that: 

  • Your device is running a supported version of Windows 10 or Windows 11.

  • Windows updates are not paused.

  • Secure Boot is enabled (it usually is by default on newer systems).

To check if Secure Boot is turned on: 

  1. Press Windows + R, type msinfo32, and then press Enter.

  2. In the System Information window, look for Secure Boot State.

  3. If it says On, you’re good to go!

If Secure Boot is currently disabled, please consult your device manufacturer for information about when your device firmware will be updated to include the latest Secure Boot configuration from Microsoft. We recommend checking this before making any changes to your Secure Boot settings. For more information, please see Windows 11 and Secure Boot. 

Troubleshooting

Unfortunately, in a few cases, your device might not start, or you might experience a BitLocker recovery situation when receiving the new certificates. We can help you recover from these situations.

  • If your device will not start after receiving the new certificates, you might need to disable Secure Boot. To do this, see the Disabling Secure Boot section.

  • If you encounter a BitLocker recovery situation after receiving the new certificates, see the BitLocker recovery section.

Disabling Secure Boot

Secure Boot helps to make sure that your device starts (boots) using only firmware that is trusted by the manufacturer. You can usually disable Secure Boot through the device firmware (BIOS) menus, but the way you disable it varies by device manufacturer.

Note If you have trouble disabling Secure Boot, we recommend that you contact your device manufacturer for help.

The following are general steps to disable Secure Boot:

  1. Open the System BIOS menu by doing one of the following:

    • You can often access this menu by pressing a key while your device is starting, such as F1, F2, F12, or Esc.

    • From Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options > UEFI Firmware Settings.

  2. Find the Secure Boot setting in the BIOS menu. If possible, set it to Disabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.

  3. Save changes and then exit. The device should restart.

For more information, see Disable Secure Boot.

BitLocker recovery

To recovery from this situation, enter the BitLocker Recovery Key. On the BitLocker recovery screen, type the 48-digit recovery key (hyphens are optional). If correct, your device will start into Windows.

For more information, see the following resources:

BitLocker overview

BitLocker recovery overview

BitLocker recovery process

Find your BitLocker recovery key

Get recovery key for Windows

How to fix BitLocker recovery key if device is not linked to MS account

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center