Overview
- The rollout targets Windows 11 and Windows 10 PCs enrolled in Extended Security Updates, with unsupported versions excluded.
- Most users will get the new certificates through Windows Update, though some systems will require firmware updates from their OEM or motherboard vendor.
- Microsoft says a status view for certificate health will appear in the Windows Security app in the coming months.
- The original Secure Boot certificates from 2011 near their planned 15‑year expiration in June 2026, and rotating them is standard security practice.
- Microsoft reports OEMs began provisioning new certificates in 2024 and that almost all devices shipped in 2025 already include them.