For more than a decade, Secure Boot has stood as a linchpin of Windows device security, quietly but critically defending the early stages of operating system startup against sophisticated threats. As the cryptographic foundation of Secure Boot—the Microsoft Secure Boot certificates—approaches its expiration in June 2026, Windows IT administrators, security teams, and businesses of all sizes are facing an unprecedented, large-scale update event. This pivotal moment is not a routine patch but a sweeping infrastructure transition, demanding urgent awareness, careful planning, and decisive action to avoid potentially catastrophic vulnerabilities across enterprise and consumer Windows ecosystems.
Secure Boot operates as a gatekeeper at system startup, ensuring that only firmware and software components signed by trusted entities—verified via long-lived certificate authorities (CAs)—are allowed to run. Implemented through the Unified Extensible Firmware Interface (UEFI), Secure Boot leverages a hierarchical, certificate-based trust model:
Virtually all supported editions of Windows 10, Windows 11, and Windows Server platforms from 2012 onward—across both physical and virtualized environments—rely on these certificates for secure boot operations. If the certificates expire without replacement:
By failing to renew Secure Boot certificates, devices fall out of the protected update channel and become susceptible to such threats—risking not just initial infection but a total loss of device trustworthiness, regulatory compliance, and recovery options.
As always, the strength of your device security is not defined merely by technology, but by the diligence of your management processes. There is still time to act decisively. Start now—inventory, update, and stay informed. Secure Boot is only as strong as the trust you maintain. Don't let that trust expire.
Source: Microsoft - Message Center Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog
Secure Boot operates as a gatekeeper at system startup, ensuring that only firmware and software components signed by trusted entities—verified via long-lived certificate authorities (CAs)—are allowed to run. Implemented through the Unified Extensible Firmware Interface (UEFI), Secure Boot leverages a hierarchical, certificate-based trust model:- Platform Key (PK): Managed by the system’s OEM or delegate and recognized as the “root of trust.” It authorizes updates to the Key Enrollment Key (KEK) database.
- Key Enrollment Key (KEK): Signs updates to the databases that control authorization and revocation of boot-critical software.
- Signature Database (DB) and Forbidden Signature Database (DBX): The DB contains allowed signatures, while DBX stores revoked ones, empowering granular enforcement over what can—or cannot—initiate the boot sequence.
The Impending Expiration: What, When, and Who Is Affected?
The expiry of Secure Boot certificates is not a hypothetical risk—it is a fixed, impending event. Beginning in June 2026, three cornerstone certificates will sunset:| Expiration Date | Expiring Certificate | Updated Certificate(s) | Function | Storage Location |
|---|---|---|---|---|
| June 2026 | Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK 2K CA 2023 | Signs updates to DB and DBX | KEK |
| June 2026 | Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA) | a) Microsoft Corporation UEFI CA 2023 <br> b) Microsoft Option ROM UEFI CA 2023 | Signs third-party OS and hardware/driver components (a); option ROMs (b) | DB |
| Oct 2026 | Microsoft Windows Production PCA 2011 | Windows UEFI CA 2023 | Signs Windows bootloader and boot components | DB |
- Devices will lose the ability to install Secure Boot security updates after June 2026.
- Systems will cease to trust third-party software and drivers signed with new certificates post-June 2026.
- Critical components like Windows Boot Manager will not receive security fixes starting October 2026.
Why Now? The Threat Landscape and BlackLotus Wake-Up Call
While expiring certificates alone warrant a proactive approach, the broader context compound the urgency. In recent years, boot-level malware and UEFI rootkits such as BlackLotus (CVE-2023-24932) have exposed significant attack vectors in the Secure Boot chain itself. BlackLotus, in particular, demonstrated that sophisticated attackers can exploit unpatched or outdated Secure Boot configurations to install stealthy malware that persists deep within a system—beyond the reach of most antivirus solutions and conventional forensics.By failing to renew Secure Boot certificates, devices fall out of the protected update channel and become susceptible to such threats—risking not just initial infection but a total loss of device trustworthiness, regulatory compliance, and recovery options.
Certificate Update Mechanics: How the New Secure Boot Certificates Roll Out
Microsoft, in close collaboration with OEMs and the UEFI Forum, is launching the first-ever global update of Secure Boot’s trust infrastructure. The update process will require the following:- Distribution of new certificates to KEK and DB: Both Microsoft and many OEMs will roll out firmware and Windows updates that embed the new, 2023-dated certificates.
- Close monitoring and gradual deployment: Microsoft’s telemetry and diagnostic data streams will allow the company to monitor the update rollout for issues, pausing and tuning delivery as needed. The staggered global approach minimizes risk.
- Dependencies on OEM firmware: The success of Secure Boot certificate updates is deeply linked to device firmware’s ability to process these updates correctly. Applying the latest OEM firmware is therefore a critical precursor.
- Multiple workflows for environment-specific needs: Microsoft accommodates a range of IT environments, from fully cloud-managed fleets to air-gapped or strictly controlled government and manufacturing installations.
The IT Admin's Action Plan: Steps to Prepare and Secure Your Organization
The scope and complexity of the Secure Boot certificate rollover demand a clear, prioritized action plan. Based on current Microsoft guidance, here is a comprehensive preparation checklist:1. Inventory and Assess Devices
Start by creating an inventory of all Windows endpoints—physical and virtual alike—that rely on Secure Boot. Pay special attention to servers, workstations, and any device in critical infrastructure or compliance-sensitive environments.- Check Secure Boot Status: On each device, run
msinfo32(System Information) and verify “Secure Boot State.” Only devices with Secure Boot “On” are eligible for automatic certificate updates. - Note unsupported devices: Devices with Secure Boot “Off” or unsupported may require additional manual intervention or may not be updateable.
2. Engage with OEM Partners
OEM firmware is foundational. Before any Secure Boot certificate update, apply all available firmware updates from device manufacturers.- Consult OEM advisory pages: Leading OEMs will issue guidance and compatibility notes relating to Secure Boot updates and firmware prerequisites.
- Apply critical firmware patches: Only after firmware is current can the Windows Secure Boot certificate update proceed seamlessly.
3. Enable and Review Diagnostic Data Paths
For organizations leveraging Microsoft-managed updates (Windows Update, Autopatch, Configuration Manager, or supported third-party management agents), ensure that at least the “required” level of diagnostic data is sent to Microsoft.- Firewall and proxy checks: Review firewall rules and ensure network paths for Windows diagnostic data (telemetry) are not blocked.
- Configure using Group Policy or MDM: Adjust organization policies to permit necessary telemetry, following Microsoft’s published instructions for Windows 10 and 11.
4. Prepare for Extended Security Updates (ESU)
Windows 10 reaches end of support in October 2025. Devices that require continued updates—including Secure Boot-related certificate changes—should enroll in the Extended Security Updates (ESU) program for Windows 10, version 22H2 or move to supported OS versions.5. Set Registry Key for Update Management (For Enterprises Without Telemetry)
Organizations restricting diagnostic data can still opt in to managed Secure Boot updates via a registry key:- Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot - Key Name:
MicrosoftUpdateManagedOptIn - Type:
DWORD, Value:0x5944
6. Plan for Air-Gapped and Special-Case Devices
Air-gapped, highly controlled devices (common in government, defense, manufacturing, or critical industrial verticals) will not receive automated updates. Microsoft’s role is limited to:- Recommending update deployment methodologies as they become available.
- Sharing best practices and anonymized telemetry from the broader rollout.
- Publishing resources and step-by-step guides on the Secure Boot certificate landing page.
The Risks of Inaction: Security, Usability, and Compliance Threats
Failing to heed the Secure Boot certificate expiration reality exposes enterprises to tangible, multi-faceted risks:- Loss of Critical Security Updates: Devices left behind will not only lose the ability to receive future Secure Boot and Boot Manager security patches—they may become unbootable in worst-case scenarios, as revoked trust could prevent the system from starting at all.
- Increased Vulnerability to Bootkits: With an unmaintained Secure Boot hierarchy, malware like BlackLotus and its successors could bypass protection mechanisms, infect pre-boot environments, and entrench persistent threats invisible to conventional controls.
- Breakdown of Third-Party Compatibility: New third-party drivers, OS components (including those for dual-boot environments with Linux), and optional ROMs will fail Secure Boot checks, breaking system functionality and impacting productivity.
- Regulatory and Compliance Failures: Organizations in regulated industries (finance, health, government) risk catastrophic non-compliance with frameworks mandating up-to-date, secure boot provisions.
Strengths in Microsoft’s Update Strategy
There are notable advantages in the scale and technical rigor of Microsoft’s Secure Boot update plan:- End-to-End Collaboration: By working tightly with OEMs and leveraging diagnostic data, Microsoft can orchestrate smooth, widespread deployments, pausing rollout at the first sign of incompatibility.
- Granular Certificate Management: Splitting the Microsoft UEFI CA 2023 into two distinct certificates (for OS/drivers and option ROMs) allows more refined trust management—empowering enterprises to handle complex hardware environments with precision.
- Automatic Updates for Most Users: Organizations and users that stay within the supported update and telemetry system will find the transition almost invisible—automatic, silent, and secure wherever possible.
- Proactive Security: By updating Secure Boot certificates, devices not only prolong their download of security updates but also immediately mitigate today’s highest-risk vulnerabilities, such as those exploited by BlackLotus.
Potential Challenges and Weaknesses
Despite this robust blueprint, some points of concern merit close attention:- OEM Dependency and Firmware Gaps: The success of certificate updates rests heavily on the timely provision and application of firmware updates by OEMs. Any delay, oversight, or discontinuation of firmware support will leave segments of hardware at risk.
- Complexity for Non-Standard Environments: Air-gapped or diagnostic-data-disabled organizations face significant manual lift. These groups must track emerging documentation, test procedures in isolated environments, and assume responsibility for smooth rollout.
- Risk of Misconfiguration: Mistakes—such as toggling Secure Boot off and then on after updates, or incomplete registry/GPO configuration—can inadvertently reset system keys, undermining security or causing outages.
- Legacy Device Vulnerabilities: Devices no longer supported by OEMs, or those stuck on legacy or custom firmware, may be left stranded, unable to update or properly participate in the new chain of trust.
- Unanticipated Software Ecosystem Impacts: With the deprecation of old CAs, unsigned or newly signed third-party drivers, operating systems, or bootloaders could cease to function suddenly, especially in mixed-OS or rapidly changing environments.
Proactive Recommendations for Every Windows Environment
With time ticking, here’s a condensed, actionable roadmap to secure your Microsoft ecosystem before the expiration deadline:- Begin device inventory and Secure Boot status collection immediately.
- Update device firmware. Collaborate closely with all supported OEMs.
- Enable appropriate levels of Windows diagnostic data, or set the update registry key.
- Test updates in a controlled subset of your environment before full deployment, watching for unexpected device or software failures.
- Plan for extended support and device lifecycle—ahead of Windows 10’s end-of-support date.
- Stay engaged with Microsoft’s Secure Boot certificate rollout landing page and technical community forums for the latest developments, troubleshooting, and peer advice.
- For organizations with high-assurance or offline environments, allocate dedicated resources to monitor and act on evolving update guidance.
- Communicate the change to IT staff and impacted users, setting expectations around update timing, possible reboots, and support paths.
Keeping an Eye on Future Guidance
Microsoft and its partners will be updating their guidance as the update cycle proceeds and as issues are discovered and resolved. IT teams and device owners should regularly consult:- The Secure Boot Certificate Rollout Landing Page
- Official OEM firmware advisories and update repositories
- Release notes for Windows 10, Windows 11 versions 23H2/24H2, and related LTSC editions
Conclusion: An Unprecedented Moment—But Not an Insurmountable One
With Secure Boot certificates expiring in June 2026, the Windows ecosystem is facing an update event without precedent in scale or technical nuance. For those who act now—updating firmware, validating device status, and ensuring proper update mechanisms—this transition will largely be a non-event. But for the unprepared, it may signal the end of trusted computing, opening the door to unpatched vulnerabilities and severe operational or compliance consequences.As always, the strength of your device security is not defined merely by technology, but by the diligence of your management processes. There is still time to act decisively. Start now—inventory, update, and stay informed. Secure Boot is only as strong as the trust you maintain. Don't let that trust expire.
Source: Microsoft - Message Center Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog