October 14, 2025—KB5066835 (OS Builds 26200. 6899 and 26100. 6899 . . . Windows Secure Boot certificate expiration Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026 This might affect the ability of certain personal and business devices to boot securely if not updated in time To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance For details and
How to use Surface UEFI - Microsoft Support Learn about Unified Extensible Firmware Interface (UEFI) features and how to access them on Surface Pro 4, Surface Book, and Surface Studio
Windows 11 and Secure Boot - Microsoft Support While the requirement to upgrade a Windows 10 device to Windows 11 is only that the PC be Secure Boot capable by having UEFI BIOS enabled, you may also consider enabling or turning Secure Boot on for better security
Enable TPM 2. 0 on your PC - Microsoft Support If you need to enable TPM, these settings are managed via the UEFI BIOS (PC firmware) and vary based on your device You can access these settings by choosing: Settings > Update Security > Recovery > Restart now
Frequently asked questions about the Secure Boot update process . . . If Windows is already using the 2023-signed boot manager but the firmware is reset to defaults that don’t include the Windows UEFI CA 2023 certificate, Secure Boot will block the boot process To fix this, you need to reapply the 2023 certificate to the firmware’s DB using the recovery application