Windows 10 End of Life: Navigating the 2026 Secure Boot Certificate Expirations
Windows 10 support ended in October 2025. Now Secure Boot certificates expire in June 2026. Here are your options — including a free path most users don't know about.
Windows 10 mainstream support ended on October 14, 2025. For most users, that date passed quietly — the PC kept working, and nothing visibly changed. What's worth understanding now is a second, less-publicized development: the Secure Boot certificates that have been part of Windows since 2011 are scheduled to expire in June 2026. Devices that aren't receiving Windows Update will gradually lose firmware-level boot security as a result.
Both situations have straightforward solutions. This guide explains what each deadline means in practical terms and walks through the options available to home users, small businesses, and IT teams.
Affiliate Disclosure: This article contains affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you.
Quick Summary
- Windows 10 free security updates ended October 14, 2025
- Roughly 35% of desktop users worldwide are still on Windows 10 (Statcounter, early 2026)
- Secure Boot certificates from 2011 begin expiring June 2026 — devices not receiving updates will see gradual loss of boot-level security protections
- The Extended Security Update (ESU) program is free for eligible consumers (via Windows Backup sync or 1,000 Microsoft Rewards points) or $30/device through October 13, 2026
- The most common reason a Windows 10 PC can't upgrade to Windows 11 is a missing TPM 2.0 chip — this is easy to check
When Did Windows 10 Support End?
Windows 10 mainstream support officially ended on October 14, 2025. After that date, Microsoft stopped issuing free monthly security patches, bug fixes, and technical support for the operating system. The machines themselves continue to work normally — but they no longer receive protection against newly discovered security vulnerabilities.
Despite the deadline, roughly 35% of desktop users worldwide are still running Windows 10 as of early 2026, according to Statcounter. That's a large installed base, and Microsoft has provided options to keep those devices reasonably secure while users plan their next steps.
The primary option is the Extended Security Update (ESU) program, which delivers critical security patches beyond the end-of-support date through October 13, 2026. It's a planned transition tool — useful for organizations that need more time to migrate, but not a substitute for eventually moving to a supported operating system.
What Is the 2026 Secure Boot Certificate Expiration?
The cryptographic certificates that validate Windows Secure Boot at startup expire in June 2026. Secure Boot is a firmware-level security feature that verifies trusted software during the startup sequence, before the operating system loads. It's designed to prevent bootkits — a category of malware that embeds itself at the firmware level, below where standard antivirus software operates.
The certificates that underpin this system were issued in 2011. After 15 years of service, they are reaching the end of their planned lifecycle. A second set of certificates — those that sign the Windows bootloader itself — are scheduled to expire in October 2026.
Devices will not stop booting when these certificates expire. What changes is more gradual: systems without the replacement 2023 certificates will lose the ability to receive Secure Boot security updates, and will stop trusting software signed with newer certificates. Over time, this reduces the effectiveness of boot-level protections — including protection against firmware-level threats like the BlackLotus UEFI bootkit (CVE-2023-24932). Devices actively receiving Windows Update, including those enrolled in ESU, will receive the replacement certificates automatically as part of regular update cycles.
New PCs manufactured since 2024, and virtually all 2025 hardware, already carry the updated 2023 certificates. The situation primarily affects older machines running Windows 10 that are no longer connected to Windows Update.
Two Dates Worth Knowing
Understanding the timeline helps clarify which actions are time-sensitive and which can be planned at a more measured pace.
Windows 10 Timeline
- June 2026 — Secure Boot certificates begin expiring. Devices not receiving Windows Update will gradually lose the ability to install Secure Boot security updates and trust software signed with new certificates.
- October 13, 2026 — The ESU program ends. After this date, Windows 10 receives no further updates of any kind.
Devices enrolled in ESU will receive the Secure Boot certificate refresh automatically before June 2026, providing time to plan a full migration to Windows 11.
The practical implication: enrolling in ESU now handles the June certificate deadline automatically, and gives until October 2026 to complete a migration to Windows 11 or new hardware. Devices not enrolled in ESU need to address the certificate update separately.
What Should IT Teams Do?
IT administrators managing Windows 10 devices have two main paths forward. The right choice depends on whether the existing hardware is compatible with Windows 11.
Path 1: Enroll in Commercial ESU
Devices running Windows 10 22H2 enrolled in the commercial ESU program will receive the Secure Boot certificate refresh through Windows Update, along with continued critical security patches through October 13, 2026.
One important prerequisite: Microsoft recommends applying all available OEM firmware updates from the device manufacturer before the Windows certificate patch is applied. The firmware layer needs to be current for the certificate update to apply correctly. Microsoft's deployment guidance for this process is documented in KB5025885, which covers the phased rollout approach and the specific steps required to apply the new certificates without disrupting existing boot configurations. Virtual machine environments require separate attention — hypervisors and guest VMs each need their own certificate updates.
Path 2: Plan a Windows 11 Hardware Migration
Many Windows 10 devices cannot run Windows 11. The most common compatibility blocker is the absence of a TPM 2.0 chip, which Windows 11 requires. Hardware from before 2018 is particularly likely to fall into this category.
How to Check TPM 2.0 Status
- Press Windows Key + R, type
tpm.msc, and press Enter - The TPM Management console opens — look for Specification Version under TPM Manufacturer Information
- Version 2.0 = Windows 11 eligible. Version 1.2 or "Compatible TPM cannot be found" = hardware replacement required
Note: some machines have TPM 2.0 hardware that is disabled in BIOS. Check firmware settings before concluding a device is incompatible.
For organizations planning a hardware refresh, our business hardware refresh planning guide covers how to structure a device lifecycle assessment. The Windows 11 Pro vs. Enterprise comparison covers licensing decisions once hardware is confirmed compatible.
What Should Home Users and Small Businesses Do?
For home users and small business owners managing their own devices, there are three options — listed in order from least to most involved.
Option 1: Enroll in the Free ESU Program
This is the most practical near-term option, and it's less widely known than it should be. On a Windows 10 PC running version 22H2 with the latest updates installed, go to Settings > Windows Update and look for the ESU enrollment option.
If you're signed in with a Microsoft account and have previously used Windows Backup to sync your settings to the cloud, enrollment is free and completes immediately. Alternatively, 1,000 Microsoft Rewards points can be redeemed for enrollment. If neither applies, the paid option is $30 per device for coverage through October 13, 2026. One detail worth noting: a single consumer ESU license tied to a Microsoft account covers up to 10 PCs, making it a practical option for households or small offices with several Windows 10 machines.
In Europe: Customers in any of the 30 countries in the European Economic Area (EEA) qualify for free ESU automatically — no Microsoft account, Windows Backup, or Rewards points required.
Option 2: Upgrade to Windows 11
If your hardware supports it, upgrading to Windows 11 is the clean long-term solution. Use the tpm.msc check above to verify TPM 2.0 status, or download Microsoft's PC Health Check tool for a full compatibility scan. Our Windows 11 system requirements guide walks through the complete checklist.
Option 3: Replace the Hardware
If the PC can't run Windows 11, replacement is the practical path. A machine that doesn't meet Windows 11's requirements is typically several years old, and the economics of continued investment in aging hardware rarely make sense past a certain point.
Our best business laptops guide covers current picks with Windows 11 pre-installed, TPM 2.0 support, and long OEM support lifecycles — the three things worth prioritizing in a replacement purchase.
ESU Program: Costs and Eligibility
| Consumer (Home/Pro) | Commercial (Enterprise/Education) | |
|---|---|---|
| Eligibility | Windows 10 22H2, not domain-joined | Windows 10 22H2, via Volume Licensing |
| Free path | Windows Backup sync or 1,000 Rewards points (covers up to 10 PCs) | Not available |
| EEA countries | Free automatically, no account required | Not applicable |
| Paid price | $30/device | $61/device (Year 1), $122 (Year 2), $244 (Year 3) |
| Coverage ends | October 13, 2026 | October 13, 2026 (Year 1) |
| Includes Secure Boot cert update | Yes, via Windows Update | Yes, via Windows Update |
Should You Upgrade Windows or Replace Your PC?
The answer depends on one thing: whether your hardware can run Windows 11.
If it can: Upgrading is straightforward. Our Windows 10 migration guide covers the full process from compatibility assessment through deployment. Windows 11 Pro is the appropriate license for most business users — it includes BitLocker, domain join, and the management features that Home edition omits.
If it can't: Replacement is the more practical path. Running an unpatched, unsupported operating system on hardware that can't be upgraded creates a compounding support burden over time. A new machine with Windows 11 pre-installed, a current-generation processor, and a manufacturer warranty is a cleaner starting point than continued investment in hardware that has reached the end of its useful life.
Either way, the ESU program provides a reasonable buffer — it's worth enrolling now to keep security patches flowing while you evaluate the right next step for each device.
Related Articles
How to Spot a Phishing Email: A Visual Guide (2026)
Learn to identify phishing emails in seconds with this visual guide. Spot red flags, avoid common scams, and protect your business from the 3.4 billion phishing attacks sent daily.
31 min read
Do You Need EDR or Is Antivirus Enough?
A practical guide for SMB owners comparing EDR vs antivirus. Learn when to upgrade from traditional AV to endpoint detection and response—and why your cyber insurance might require it.
12 min read
Is Your Website a Security Risk? The 2026 Hosting Security Checklist for Business
Audit your hosting provider against 2026 security standards. Learn about shared hosting risks, containerization vs VPS, automated patching, and offsite backup strategies.
10 min read