The Secure Boot certificates will expire soon, specifically in June 2026.
What is Secure Boot?
Secure Boot is a security feature in modern computers with UEFI BIOS that monitors the boot process. Secure Boot ensures that only trusted, digitally signed software (from the bootloader to the operating system kernel) is loaded, preventing malware from infiltrating the system or rootkits from modifying it during startup.
A key aspect of this security feature is the use of security certificates. These certificates, in use since approximately 2011, are set to expire in June 2026.
What happens when the certificates expire?
If the certificates are not renewed in time, the affected systems will not receive security updates for the Secure Boot function, as new boot loaders would not be recognized and the error message "Secure Boot Violation" would appear. Furthermore, correctly signed third-party software can no longer be trusted. These systems are then more vulnerable to malware infiltration.
The affected systems will usually still boot, however.
It may eventually become necessary to completely disable the Secure Boot function in the BIOS.
Things that should be done before June 2026.
- Inventory all potentially affected systems.
- If BitLocker is used, check if the BitLocker recovery key is documented.
- Perform a BIOS update from the hardware manufacturer
e.g., using the Lenovo Vantage tool on Lenovo systems - Perform Windows updates regularly.
- To receive the necessary Secure Boot updates, "Required diagnostic data" must be enabled.
If you want to check the condition right away.
- Press the Windows key + R.
- In the Run dialog box, type msinfo32.
- In the right pane of the system overview, look for
BIOS Mode and
Secure Boot.
BIOS Mode must be set to UEFI and Secure Boot must be enabled.
