Microsoft has announced planned changes to Windows Secure Boot certificates, with certain certificates beginning to expire in June 2026. These changes are part of Microsoft’s Secure Boot security lifecycle and apply broadly to Windows platforms across all OEMs.

Scope and Applicability

• The Secure Boot certificate lifecycle, including certificate expiration, replacement, revocation, update eligibility, and enforcement timing, is defined, implemented, and controlled exclusively by Microsoft.
• Dynabook systems use Microsoft’s Secure Boot implementation and do not independently manage Secure Boot certificates.
• This change is not specific to Dynabook products.

System Impact

Systems Not Impacted

The following systems ship with the new Secure Boot trust chain pre‑installed and do not require additional customer action:

• Windows 11 25H2 preinstalled models

Systems Potentially Impacted

• Dynabook systems preinstalled with Windows 11 24H2 or earlier that have not received Microsoft Secure Boot certificate updates

Dynabook Recommendations

To maintain compatibility with Microsoft’s Secure Boot roadmap, Dynabook recommends that customers:

• Keep Windows up to date using Windows Update
• Ensure Secure Boot is enabled in system BIOS/UEFI
  • Secure Boot enablement is a Microsoft requirement for Secure Boot certificate updates to be applied
  • Systems with Secure Boot disabled may not receive updated Secure Boot certificates
• Install the latest available Dynabook BIOS/firmware for the applicable model
• Avoid manual modification or clearing of Secure Boot variables, unless expressly instructed by Microsoft or Dynabook Support

Important Clarifications

• Certificate expiration does not immediately prevent system startup
• Systems that do not transition to the updated Secure Boot trust chain may:
  • Miss future Secure Boot‑related protections
  • Encounter issues if Microsoft later revokes legacy certificates
• The timing and enforcement of any Secure Boot certificate revocations are determined solely by Microsoft

Recovery Media Considerations

Microsoft has indicated that legacy Secure Boot certificates may be added to the Secure Boot revocation database (DBX) in the future.
If this occurs, recovery or installation media created with older Windows Boot Manager signatures may not boot without additional remediation.

Further guidance will be provided by Microsoft. Dynabook will share supplemental information as available.

Microsoft Authority

For authoritative and up‑to‑date information regarding Secure Boot certificate changes, customers should refer directly to Microsoft documentation, including Microsoft Support articles related to Secure Boot certificate expiration, updates, and revocation.

Summary

• This is a Microsoft‑initiated security change
• Secure Boot must be enabled for Microsoft Secure Boot updates to apply
• Dynabook’s role is limited to maintaining firmware compatibility and providing guidance
• Most customers do not need to take action beyond normal system maintenance
• Completing updates in advance of June 2026 helps reduce future operational risk