1800 384 768[email protected]

Get A Quote

Windows Secure Boot Certificate Retirement

Microsoft is retiring legacy Secure Boot certificates in June. Learn how this quiet change may affect older devices and what businesses should review now.

The Quiet Windows Deadline That Could Disrupt Your Business

Most organisations keep a close eye on big technology risks. But every so often, a quiet change can have a bigger impact than anyone expects. In June, Microsoft will retire a set of legacy Secure Boot certificates – a routine security update on paper, but one that may affect older or inconsistently updated Windows devices in significant ways.

For well maintained machines, this change will pass without fuss. For others, it may trigger compliance failures, security warnings, or even prevent a device from booting securely. And because the impact only becomes visible when something goes wrong, the safest time to review your environment is before the deadline arrives.

What’s happening and what are the risks?

Secure Boot is part of the foundational security layer in modern Windows devices. It ensures the machine hasn’t been tampered with before the operating system loads.

Microsoft is now removing a set of outdated certificates from the Secure Boot trust chain. Devices that haven’t received the right firmware or OS updates may suddenly fail this validation step once the old certificates are retired.

This isn’t a dramatic “Windows update breaks everything” moment – it’s a planned tightening of security.

Secure Boot is also tied into Microsoft 365’s broader security posture.

If devices fall out of compliance, you may see:

  • Conditional Access failures
  • Defender risk score increases
  • Audit findings or governance issues
  • Delays onboarding new staff or devices

How many devices will be affected?

Microsoft can only see the overall risk using broad trends across Windows devices. It can’t see the details that matter inside each organisation.

These include whether devices have missed firmware updates, are running older unsupported software, or haven’t been rebooted in months.

How to tell which devices are at risk (and why older hardware is more vulnerable)

Devices older than 6 to 8 years aren’t automatically affected, but they are far more likely to be missing the firmware level updates that keep Secure Boot healthy.

Windows updates alone aren’t enough – Secure Boot depends on the device’s UEFI firmware, and most manufacturers stop releasing firmware updates long before the hardware reaches end of life. That means many pre 2016 machines may still be using the older Secure Boot certificates Microsoft is retiring in June.

Early Secure Boot implementations also varied widely between manufacturers, and some older devices used certificate bundles that were never updated or couldn’t be updated reliably. If those certificates remain in place, the device may fail Secure Boot validation once the old certificates are removed from the trust chain.

The other factor is patching history. Older devices are more likely to have been repurposed, used remotely, or left running for long periods without rebooting.

Firmware updates only apply after a reboot, so it’s common for older machines to appear “up to date” in Windows while still running outdated Secure Boot components underneath.

What should businesses do?

For businesses, the most practical way to identify at risk devices is to look at a few key indicators:

  • Hardware age: Devices older than 6–8 years are more likely to be out of firmware support.
  • Firmware update history: Machines that haven’t received BIOS/UEFI updates in several years are higher risk.
  • Secure Boot status: Devices reporting Secure Boot as Off, Unknown, or Unsupported need attention.
  • OEM support status: If the manufacturer hasn’t released firmware updates for that model since 2018–2019, it may not support the updated certificate chain.

 

The risk isn’t age alone. Devices are generally lower risk if they’re still receiving firmware updates, have Secure Boot enabled and reporting correctly, and have been rebooted after recent cumulative updates.

How to check your own device

If you’re curious about whether your own laptop or home device is affected, there are two quick checks you can do – no technical skills required.

Check Secure Boot status:

  • On Windows, open the Start menu and type System Information.
  • Look for Secure Boot State.
  • If it says On, your device is already using the modern Secure Boot certificate chain and is considered low risk.

 

Check for recent firmware or driver updates:

  • Go to Settings → Windows Update → Update history → Driver updates.
  • If you see entries such as System Firmware, UEFI Firmware Update, or updates from your device manufacturer in the last few years, your device is actively maintained and far less likely to be affected.

 

These checks give you a quick sense of whether your hardware is healthy – and most modern devices will pass them easily.

Review now to prepare for future changes

A timely review will quickly reveal which devices are healthy, which need remediation, and which may be approaching their end of life.

Organisations should also use this opportunity to undertake a structured business review that includes:

  • Hardware age and supportability audit to identify devices no longer receiving firmware updates.
  • Firmware and BIOS/UEFI update verification to confirm updates have been applied and devices have rebooted.
  • Windows update compliance checks to catch machines stuck on old builds.
  • Secure Boot status and configuration review to ensure that it’s enabled and functioning correctly.
  • Integration with Microsoft 365 security baselines to prevent Conditional Access or Defender disruptions.
  • A broader technology stack assessment to ensure the environment is ready for this change and other upcoming security, compliance, and AI driven requirements.

Contact Essential Tech for help to assess your IT environment

If you’re unsure whether your devices are ready – or if you want a broader assessment of your technology stack for security, compliance, and AI implementation – Essential Tech can help.

Contact Essential Tech to review your environment, identify any risks, and ensure your systems are prepared for this change and the ones coming next.

Got Any Questions?

We listen and learn to understand your business challenges, so we can deliver effective solutions that meet your specific business needs. Speak with an expert now!

Request a Quote

Downtime Lurks Where You Least Expect It

Downtime is your enemy. No matter your size, when technology is down, productivity comes to a screeching halt. And, for every minute that goes by,… Read article

The Art of Asking the Right Questions Can Save You Money on IT

All small businesses face the same battle—cutting costs. It’s smart to continually trim the fat and weigh needs against must-haves. Technology is absolutely a must,… Read article

Does the thought of lost data send chills down your spine?

Every organization has a common fear—loss of data. Data loss due to a disaster forces 80 percent of businesses to close their doors within three… Read article

Downtime Lurks Where You Least Expect It

Downtime is your enemy. No matter your size, when technology is down, productivity comes to a screeching halt. And, for every minute that goes by,… Read article

The Art of Asking the Right Questions Can Save You Money on IT

All small businesses face the same battle—cutting costs. It’s smart to continually trim the fat and weigh needs against must-haves. Technology is absolutely a must,… Read article

Does the thought of lost data send chills down your spine?

Every organization has a common fear—loss of data. Data loss due to a disaster forces 80 percent of businesses to close their doors within three… Read article