Surface Secure Boot Certificates
Applies To
Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device's boot (start) sequence. It works by verifying the digital signature of pre-boot software against a set of trusted digital certificates (also known as certificate authority or CA) stored in the device's firmware. As an industry standard, UEFI Secure Boot defines how platform firmware manages the certificates, authenticates firmware, and how the operating system (OS) interfaces with this process.
Windows Secure Boot certificates expiring in 2026
To help keep your Windows device secure, Microsoft is updating the certificates used by Secure Boot—a security feature that helps protect your devices from malware during startup. These certificates, originally issued in 2011, are set to expire starting in June 2026. To stay protected, your device needs to receive a new set of certificates before then. For most users, this has already happened through Surface updates delivered through Windows Update or will happen in the future through regular Windows security updates.
How does this impact Surface devices?
Microsoft began updating the UEFI Secure Boot Signature Database (DB) on Surface devices to contain the “Windows UEFI CA 2023” certificate starting in 2023, and these updates were delivered to Surface devices through UEFI firmware installed by Windows Update. Also, all Surface devices manufactured in 2024 and later were launched with the “Windows UEFI CA 2023” certificate. For the devices not listed in this article, the general guidance for Windows users applies.
In addition to updating certificates stored in UEFI, we are also updating the Surface Recovery Images for all currently supported (as of September 2025) Surface devices. The table below shows which devices have the updated certificates already present in UEFI (and as of which version, if applicable) and updated recovery image status.
|
Product Name |
Minimum UEFI version with 2023 CA |
Recovery image (BMR) updated with 2023 CA |
Note |
|---|---|---|---|
|
Surface Laptop 13-inch |
Any (product launched with 2023 CA) |
 |
2023 CA-signed BMR will be released in Nov 2025 |
|
Surface Pro 12-inch |
Any (product launched with 2023 CA) |
 |
|
|
Surface Laptop 5G for Business |
Any (product launched with 2023 CA) |
|
|
|
Surface Laptop 7th Edition, Intel processor |
Any (product launched with 2023 CA) |
|
|
|
Surface Pro 11th Edition, Intel processor |
Any (product launched with 2023 CA) |
|
|
|
Surface Pro 11th Edition 5G |
Any (product launched with 2023 CA) |
|
|
|
Surface Pro 11th Edition, Snapdragon processor |
Any (product launched with 2023 CA) |
|
|
|
Surface Laptop 7th Edition, Snapdragon processor |
Any (product launched with 2023 CA) |
|
|
|
Surface Laptop 6 for Business |
Any (product launched with 2023 CA) |
|
|
|
Surface Pro 10 with 5G |
Any (product launched with 2023 CA) |
|
|
|
Surface Pro 10 for Business |
Any (product launched with 2023 CA) |
|
2023 CA-signed BMR will be released in Oct 2025 |
|
Surface Hub 3 |
Any (product launched with 2023 CA) |
|
2023 CA-signed BMR will be released in Nov 20251 |
|
Surface Go 4 |
8.200.143.0 |
|
|
|
Surface Laptop Go 3 |
10.200.143.0 |
|
|
|
Surface Laptop Studio 2 |
16.200.143.0 |
|
2023 CA-signed BMR will be released in Oct 2025 |
|
Surface Laptop 5 |
9.200.143.0 |
|
|
|
Surface Pro 9 |
12.200.143.0 |
|
|
|
Surface Pro 9 with 5G |
18.7.235.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
|
Windows Dev Kit 2023 |
12.6.235.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
|
Surface Studio 2+ |
20.101.143.0 |
|
2023 CA-signed BMR will be released in Oct 2025 |
|
Surface Laptop Go 2 |
26.102.143.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
|
Surface Laptop SE |
7.9.139.0 |
|
|
|
Surface Pro X WiFi |
10.703.140.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
|
Surface Go 3 |
11.200.143.0 |
|
|
|
Surface Pro 8 |
23.200.143.0 |
|
|
|
Surface Laptop Studio |
23.200.143.0 |
|
|
|
Surface Laptop 4 (Intel) |
23.200.143.0 |
|
|
|
Surface Laptop 4 (AMD) |
4.200.140.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
|
Surface Pro 7+ |
23.200.143.0 |
|
|
|
Surface Pro 7 |
17.200.140.0 |
|
|
|
Surface Book 3 |
17.200.140.0 |
|
2023 CA-signed BMR will be released in Nov 2025 |
1Surface Hub 3 recovery images can be used with Hub 2S devices that have been migrated to Windows 11.
Actions for IT professionals and organizations
More details on the Secure Boot certificate expirations and validating or proactively deploying certificate updates are available here: Secure Boot Certificate updates: Guidance for IT professionals and organizations
The Windows Assessment and Deployment Kit (ADK) added support for the 2023 CA in version 10.1.26100.2454 (December 2024), and new Windows Preinstallation Environment (WinPE) images can be created with the updated certificate. Pre-existing images can be updated following the guidance here: Updating Windows bootable media to use the PCA2023 signed boot manager
Related topics
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
Find solutions to common problems or get help from a support agent.
