Navigation section

Secure Boot Certificates Expire June 2026—Plan for Windows 11 Certificate Rotation

  • Thread Author
Microsoft’s September preview update pushed an urgent reminder to IT teams and advanced users: Secure Boot certificates used broadly across Windows devices are scheduled to start expiring in June 2026, and without coordinated firmware and OS updates some machines may be unable to boot securely or apply pre-boot fixes.

Security lab where analysts monitor multiple screens beneath a glowing neon shield on a circuit-board wall.Background / Overview​

Microsoft published KB notifications for the September 23, 2025 preview flight (KB5065790) that bundle targeted reliability fixes for Windows 11 while also drawing attention to a looming platform-level maintenance task: the rotation and renewal of Secure Boot root and signing certificates that were originally provisioned around 2011. That advisory is not a minor housekeeping note — it has direct implications for Secure Boot behavior and pre-boot integrity checks on many consumer and business devices.
To understand why this matters, remember that Secure Boot is a UEFI firmware feature that enforces a signature chain for boot-time binaries (bootloaders, drivers, recovery tools). The chain trusts certificates and keys provisioned in platform variables such as KEK, DB, and DBX. When those trust anchors expire or are removed without being replaced by valid attestations, UEFI can refuse to load signed components — or, under strict policies, refuse to boot entirely. Microsoft’s update guidance and preview KB explicitly warns that certificates issued in 2011 are scheduled to begin expiring starting June 2026 and that administrators should plan now to avoid disruption.

What KB5065790 actually contains (executive summary)​

Targeted quality fixes in the preview build​

KB5065790 is a Release Preview quality update focused on stability- and reliability-type fixes rather than new features. The publicly highlighted fixes address:
  • A sign-in hang on devices when entering a SIM PIN at the lock screen (WWAN/eSIM devices).
  • Updates to Country and Operator Settings Asset (COSA) and carrier profile handling.
  • Display/kernel stability problems affecting multi-monitor Remote Desktop sessions and unexpected shutdowns during undocking.
  • Rendering issues with Chinese IME input.
  • Crashes when opening shared printer queues in Settings.
  • Minor metadata/service description fixes.
This preview build is delivered through Release Preview for validation before any move to broad production servicing; admins are advised to pilot the patch on representative hardware first.

The Secure Boot certificate advisory bundled with the update​

Separately and more consequential for long-term platform hygiene, Microsoft reiterated that older Secure Boot certificates — originally issued circa 2011 — will begin expiring in mid‑2026. If devices are not updated with the new certificate set (through firmware updates, OS certificate packages, or OEM-supplied processes), those devices could fail Secure Boot validation or be prevented from applying pre-boot patches. Microsoft documented a multi-pronged rollout to replace platform KEK/DB certificates and provide OS-level updates where applicable.

Why the certificate expiry is a real risk (technical analysis)​

Secure Boot’s trust model depends on concrete cryptographic anchors that have real-world lifetimes. Certificates created in 2011 were expected to reach the end of their useful life in the 2025–2026 timeframe; the practical effects that Microsoft warns about are:
  • Pre-boot updates or recovery components signed under the expiring certificate chain may no longer validate, preventing tasks like offline servicing or firmware-assisted recovery.
  • Under strict Secure Boot policy settings, the firmware may treat failure to validate boot components as an immediate condition to block boot, producing boot failures in already-deployed fleets.
  • Some OEMs or managed fleets with locked-down firmware policies may be unable to accept an in-field certificate substitution without an OEM-provided firmware update or explicit management workflow.
These are not hypothetical edge cases: Microsoft’s guidance explicitly states affected devices "may be unable to apply pre‑boot fixes or might fail to boot securely under existing Secure Boot policies" if certificates are not updated. That language signals the possibility of a hard failure mode for some configurations.

Dual‑build family nuance (22621 vs 22631)​

If you cross-check the KB entry and vendor summaries you’ll notice variation in build numbering: Microsoft services Windows 11 with parallel build families (commonly 22621 and 22631), and the same KB textual content may be packaged with different build numbers for the two families. The Release Preview notes and community analysis reflect this duality — e.g., KB5065790 appears in the Release Preview stream as Build 22631.5982 while preview packaging for other servicing families may show 22621.x variants. Administrators should confirm the specific build number that targets their SKU/build family before deployment.

Cross‑referencing and verification​

Multiple independent reporting and community analysis posts mirror Microsoft’s advisory and expand on operational concerns, confirming the expiry timeline and the recommended actions for admins. Reporting from mainstream Windows coverage and security-focused outlets reiterates the June 2026 timeframe and notes that Microsoft has outlined CA/KEK update approaches to prevent boot-time disruption. Cross-checking Microsoft’s KB language against independent summaries is consistent: the expiry window, the impacted certificate set (issued in 2011), and the remediation pattern (replace certificates via firmware and OS-delivered updates) are corroborated across several independent sources.
Caveat: while the high‑level expiry timeline and recommended mitigation strategy are consistently reported, exact lists of affected OEM models, firmware versions, or device counts are not published by Microsoft in the KB preview. Those device-level details are OEM-managed and therefore require checking vendor advisories. Treat any specific device-impact claims that are not published by OEMs or Microsoft as unverifiable until confirmed.

Impact matrix — who to worry about first​

  • Enterprise fleets with mixed OEM hardware and locked firmware policies: High priority. These environments often enforce strict Secure Boot policies and may not accept ad-hoc certificate changes without vendor involvement.
  • Devices used in field or remote scenarios (WWAN/eSIM laptops, kiosk devices, point-of-sale): High priority. If those devices cannot receive firmware updates easily, a certificate expiry could effectively prevent secure boot or recovery.
  • Recent consumer PCs with modern UEFI firmware and OEM update channels: Lower immediate risk, but still require verification that the OEM firmware exposes new trust anchors or that Windows update packages will supply necessary CA updates.
  • Older hardware where OEM update support has ended: Elevated risk. End-of-support firmware may not receive the necessary KEK/DB changes; these devices may need a replacement plan before June 2026.
These categories closely match Microsoft’s advisory emphasis and community checklist recommendations to inventory and prioritize devices that rely on older trust anchors.

Recommended mitigation and remediation checklist (for IT teams)​

  • Inventory and classify devices now (by May–June 2026 timeline):
  • Identify models, OEM firmware versions, and where possible the Secure Boot variable state (KEK/DB contents).
  • Flag devices that cannot be updated via standard OEM channels or that are out of vendor support.
  • Confirm OEM firmware update availability:
  • Contact OEM support or check vendor advisory pages for explicit guidance about accepting the replacement CA/KEK set for Secure Boot.
  • Prioritize testing on devices that represent critical workflows (kiosks, remote workers, POS). Microsoft also recommends pilots in Release Preview or a staging ring.
  • Ensure Windows update pipelines will apply OS-level CA updates:
  • Microsoft indicated a multi-pronged approach that includes OS-side CA/KEK updates where applicable. Confirm that your update management (WSUS, SCCM/ConfigMgr, Intune) is prepared to deliver these servicing updates.
  • Test Secure Boot behavior after applying the recommended updates:
  • Use a controlled lab to verify boot behavior, pre-boot repair scenarios, and recovery tooling after installing the new certificate set.
  • Observe for regressions for at least 48–72 hours in real-world use as Microsoft suggests for Release Preview builds.
  • Maintain rollback and recovery plans:
  • Capture system images and ensure offline recovery media are available before broad deployment.
  • Understand uninstall semantics for combined SSU/LCU packages — in many cases the servicing stack update cannot be uninstalled once applied. That has operational consequences during remediation.
  • Build a replacement plan for unsupported hardware:
  • For machines that will not receive firmware updates or OS-side certificate refreshes, budget and schedule hardware replacement prior to the date certificates begin expiring (June 2026).
  • Communicate timelines and user-impact expectations:
  • Provide status updates to stakeholders and end users. For remote or kiosk systems, schedule maintenance windows or physical service visits where needed.
This checklist mirrors the practical guidance included in Release Preview analysis and Microsoft’s advisory language about planning and testing.

Actionable steps for consumer users (concise)​

  • Keep Windows Update enabled and fully applied; Microsoft is delivering part of the solution via OS updates for supported devices.
  • Check your PC vendor’s support site for firmware/BIOS/UEFI updates and apply them per vendor instructions.
  • If you have an older PC and the vendor has no updates, plan for replacement before June 2026 if you require Secure Boot-based protections.
  • For advanced users: confirm Secure Boot variable signatures via UEFI firmware UI or vendor tooling, but avoid ad-hoc changes to Secure Boot variables without clear vendor guidance.

Testing and validation — a suggested pilot plan​

  • Select a small, representative pilot group (10–50 devices) including:
  • A mix of OEM models and firmware versions
  • At least one device per critical workflow (VPN + WWAN, docked workstation, kiosk/POS)
  • Create full device backups or system images.
  • Apply the Microsoft preview/production updates and OEM firmware updates per vendor guidance.
  • Perform these validation checks:
  • Normal boot with Secure Boot enabled
  • Offline recovery using pre-boot tools
  • Windows Update and servicing stack behavior
  • Application of any pre-boot or recovery signing tests you have in your environment
  • Monitor for 72 hours and collect logs for any anomalies; escalate to vendor support if you find a regression. Microsoft’s Release Preview guidance recommends this staged, telemetry-aware approach.

What’s uncertain and what to watch for (risks and caveats)​

  • Vendor coverage variability: Microsoft can publish OS-side updates, but OEM firmware changes are required in many cases. The availability and timing of those firmware updates is controlled by OEMs, not Microsoft, and is thus the single largest operational risk. Any claims about a specific OEM’s readiness that are not published by the OEM should be treated as unverified.
  • Device-level behavior differences: The KB and community analysis deliberately do not list every affected model. Test results may vary even between units of the same model due to differences in firmware configuration, custom management policies, or enterprise provisioning. Treat any model-level impact statements that are not confirmed by OEM advisories as speculative.
  • Uninstall and recovery complexity: Some servicing packages combine SSU and LCU components that cannot be removed after install. That limits quick rollback choices if the update/pilot reveals regressions. Maintain offline images and recovery media as a contingency.
  • Timeline awareness: the advisory points to certificate expiry beginning in June 2026. That gives a finite runway, but planning and execution at scale (fleet-wide firmware distribution, pilot validation, replacement procurement) can take months. Treat the date as a hard planning target.

Recommended communication and governance steps​

  • Treat Secure Boot certificate rotation as an organizational milestone similar to a planned TLS root rotation: inventory, validate, stage, and execute with rollback and auditing.
  • Assign a cross-functional team: firmware/OEM liaison, patch management, endpoint security, and infrastructure teams should collaborate to ensure no single team is surprised.
  • Add monitoring and alerting for boot failures and pre-boot repair events to catch regressions early after staged rollouts.
  • Document the pilot results and produce a deployment runbook that includes OEM-specific steps, validation commands, and rollback triggers.

Conclusion​

Microsoft’s KB5065790 preview brings the usual assortment of targeted quality fixes for Windows 11, but its accompanying advisory on the June 2026 Secure Boot certificate expiration elevates this release from "routine patch" to a serviceability planning event. The technical reality is clear: cryptographic trust anchors have finite lifetimes, and in complex mixed-fleet environments the interplay between OEM firmware, OS-level CA updates, and management tooling determines whether an organization experiences seamless rotation or disruptive boot failures.
Start now: inventory devices, confirm OEM update paths, pilot updates on representative hardware, and prepare replacement plans for unsupported devices. When in doubt, treat vendor advisories as authoritative for firmware behavior, and rely on staged, telemetry-driven rollouts to minimize risk. Microsoft and independent reporting align on the core facts and the June 2026 timeline, but exact device impacts will depend on OEM responses and individual fleet characteristics — those are the variables that IT teams must resolve in the coming months.
Source: Microsoft Support September 23, 2025—KB5065790 (OS Build 22621.5984) Preview - Microsoft Support
 

Click to expand...
Microsoft has posted the September 2025 non‑security preview update for Windows 11, version 23H2 — an optional Release Preview build (KB5065790) that delivers a set of targeted reliability fixes while reiterating a major operational warning: Microsoft’s Secure Boot signing certificates issued in 2011 are scheduled to begin expiring in mid‑2026, and IT teams and device owners must prepare now to avoid boot‑time trust and updateability problems.

Windows logo over a blue, swirling graphic on a circuit-board background.Background / Overview​

Microsoft issues non‑security preview updates through the Release Preview channel to let administrators and early adopters validate fixes and detect last‑mile regressions before those fixes are promoted into general servicing. The September optional update for Windows 11, version 23H2 (also visible in Insider Release Preview channels as Build 22631.5982 / 22631.5984) contains quality and reliability tweaks — authentication fixes, IME/display/printer bug corrections, and other targeted stability items — while the public notes also surface a cross‑cutting servicing advisory about Secure Boot certificate rollover.
At the same time, Microsoft’s September cumulative updates for other servicing branches (for example, Windows 11, version 24H2) explicitly call out the Secure Boot certificate expiration program and link to guidance for preparing devices, because the change affects the pre‑OS trust chain that enables Secure Boot protections and pre‑boot updates.
This story is therefore twofold: (1) what the September 2025 optional updates change functionally for Windows 11 23H2, and (2) why the Secure Boot certificate expiration and CA replacement program — a multi‑step, cross‑OEM, firmware‑and‑OS initiative — should be treated as an immediate operational priority for both home users and enterprise IT teams.

What’s in the September 2025 non‑security preview for Windows 11, version 23H2​

Key fixes and focus areas​

  • Authentication and sign‑in reliability improvements (SIM PIN / mobile broadband sign‑in hangs resolved).
  • Input and IME fixes addressing character rendering and editor behavior for specific languages.
  • Printer queue UI stabilization and fixes for shared‑printer scenarios.
  • Miscellaneous system‑service reliability corrections and small cosmetic bug fixes surfaced from the Release Preview testing stream.
These updates are conservative by design: they are not feature rolls but quality improvements intended to reduce field issues before monthly rollups or the next cumulative. Administrators should treat the package as optional validation content: install in pilot rings first, validate firmware and driver interactions, then expand deployment if no regressions appear.

Packaging and installation notes​

Microsoft commonly bundles a Servicing Stack Update (SSU) with cumulative and preview packages to reduce installation failures. That bundling improves reliability but complicates rollback, because SSUs are effectively non‑removable once applied. If you manage large fleets, include SSU behavior in your test plan and image recovery strategy.

Windows Secure Boot certificate expiration: what’s changing and why it matters​

The timeline — concrete dates to remember​

  • Several Microsoft certificates issued in 2011 are scheduled to begin expiring in June 2026 (notably the KEK/UEFI CA family used in Secure Boot databases).
  • A further certificate used to sign the Windows boot manager expires later in October 2026.
Microsoft is already delivering replacement certificates (the “2023 CA family”) and related boot manager updates in servicing now, with a staged rollout that runs ahead of those expiry dates. The public guidance strongly recommends applying these updates well before the expiration windows to preserve the ability to receive future pre‑boot fixes and maintain Secure Boot trust.

What exactly is expiring?​

The certificates nearing expiry include the Microsoft KEK/UEFI CA certificates used in the UEFI Secure Boot key databases — KEK (Key Exchange Key), DB (Allowed Signature Database), and DBX (Revoked Signature Database). When a certificate used to sign boot‑time components reaches its expiration, firmware and the OS will stop recognizing signatures created under the old CA as valid for future signed pre‑boot updates, unless the new CA is introduced into the appropriate firmware variables.

Why this is not just a bureaucratic date change​

Secure Boot is the cryptographic foundation that prevents unsigned or malicious pre‑OS components (bootkits, malicious option ROMs) from loading. If the signing CA used for boot‑time validations expires and is not replaced by a newer CA trusted by firmware and OS, systems may:
  • Lose the ability to receive future Secure Boot or boot manager updates signed with the new CA.
  • Refuse to validate and trust updated boot components, potentially blocking legitimate pre‑boot protection updates.
  • In worst cases, experience boot failures or be forced to disable Secure Boot to recover — introducing substantial security risk.
The practical upshot: this is an operational lifecycle event that intersects firmware, OEM support, Windows Update delivery channels, and enterprise update tooling (WSUS, SCCM, Windows Update for Business). It is not solvable by a single Windows patch on every device unless the device firmware permits the required UEFI variable writes.

Technical deep dive: KEK / DB / DBX mechanics and the rollout sequence​

The UEFI Secure Boot trust chain (concise)​

  • Platform Key (PK): OEM/root key stored in firmware; it authorizes changes to the KEK.
  • Key Exchange Key (KEK): Authorizes updates to DB and DBX.
  • DB (Allowed Signature Database): Contains certificates/keys allowed for signing boot components.
  • DBX (Forbidden Signature Database): Contains revoked certificates/keys.
Updating trust anchors requires coordinated changes to KEK and DB/DBX entries in firmware UEFI variables — changes that can be applied either by OEM firmware updates or by OS‑initiated variable writes when firmware permits.

Microsoft’s multi‑step rollout plan (high level)​

Microsoft and OEM partners intend to roll the new 2023 CA family into devices in coordinated steps:
  • Add new 2023 certificates to KEK/DB so systems can trust new signatures.
  • Deploy updated boot manager and boot components signed by the 2023 CAs.
  • (Optional / recommended) Add revocations for the old 2011 CAs into DBX to prevent rollback attacks and abusive signing.
  • Apply Secure Version Number (SVN) updates to prevent rollback to older, vulnerable boot components.
Each step must be validated before progressing because some steps (notably DBX additions that revoke old trust anchors) are effectively irreversible on many devices without low‑level remediation. This is why Microsoft is staging the rollout well before expiry and why administrators must plan tests and rollback contingencies.

Firmware readiness is the single largest operational unknown​

Even when Windows Update delivers the new certificates, the OS can only write those certificates into UEFI variables if the firmware design allows it and if OEMs don’t lock updates out. For older or non‑compliant firmware, the update may fail or require an OEM firmware (BIOS/UEFI) update first. That means organizations with diverse hardware estates must coordinate with OEMs and test representative hardware before mass deployment.

Who is affected — scope and special cases​

Broad strokes​

  • Physical PCs and VMs shipped since about 2012 that use Microsoft’s Secure Boot CA family will be affected unless they receive the replacement certificates.
  • Consumer devices that receive Windows Update automatically and share diagnostic data are likely to receive the OS‑side certificate updates without manual intervention. For many consumer scenarios, no action will be required beyond keeping Windows Update enabled.

Enterprise fleets, air‑gapped systems, and regulated environments​

  • Enterprise fleets using WSUS, Configuration Manager, or air‑gapped deployment models must explicitly plan to deploy the certificate updates using supported offline workflows (MSU / DISM / Add‑WindowsPackage) and may need to coordinate OEM firmware updates in advance.
  • Air‑gapped or locked‑down devices that do not share diagnostic data with Microsoft or that block OS‑initiated firmware variable changes will require manual coordination (OEM firmware updates or technician intervention).

Virtual machines and cloud VMs​

Some VM families and older hypervisor configurations can also be affected because the VM firmware/UEFI image may contain the old CA set and might not accept in‑guest updates the same way physical firmware does. Microsoft has flagged specific virtualization scenarios and recommends validating VM images and cloud SKU compatibility before mass updates.

Linux and dual‑boot users​

Linux distributions that rely on Microsoft‑signed shim binaries for Secure Boot compatibility are particularly sensitive to this change: shim and related bootloader signatures might be tied to the older CA family and will require updates from distribution maintainers and/or OEM firmware updates to remain compatible with Secure Boot after the rollover. Independent reporting has already flagged this as a potential compatibility headache for Linux users on many pre‑2023 devices.

Practical deployment guidance: immediate steps for IT administrators and power users​

Below is a prioritized checklist to prepare for the Secure Boot certificate rollover and to validate the September preview update in a production‑safe way.
  • Inventory and classify systems:
  • Record devices with Secure Boot enabled, firmware vendor/model/release, and whether the firmware supports OS‑initiated variable updates.
  • Identify air‑gapped devices and determine update paths.
  • Pilot the September preview in a representative ring:
  • Use a pilot ring that mirrors firmware diversity (OEMs, laptop models, desktop systems, VM SKUs). Validate boot integrity, Secure Boot variables, and post‑update pre‑boot behavior.
  • Coordinate with OEMs:
  • Request and validate UEFI firmware revisions that explicitly permit the necessary KEK/DB variable updates and that are tested against Microsoft’s 2023 CA family.
  • Prepare offline update workflows:
  • For WSUS / SCCM / air‑gapped systems, prepare MSU / DISM packages and test the sequence: add KEK/DB certificates, deploy signed boot manager, then apply any DBX revocations. Document scripts and recovery steps.
  • Test rollback and recovery:
  • Create system images and recovery media because some changes (SSU, DBX revocation entries) are difficult or impossible to fully roll back on many platforms. Ensure you can restore systems offline if required.
  • Communication plan:
  • Notify stakeholders and end users about the change and planned maintenance windows. For dual‑boot or Linux desktop users, provide guidance on how to work with distro vendors or how to temporarily disable Secure Boot for recovery (with security caveats).
  • Prioritize high‑risk targets:
  • Focus first on critical servers, VDI hosts, and imaging pools that could affect large numbers of endpoints. Validate VM image behavior under the new CA set.
  • Monitor Microsoft’s release health channels:
  • Follow Windows Update Release Health and Microsoft’s Secure Boot rollout pages for incremental status, special‑case guidance, and emergency advisories.

Operational risks and mitigations — what could go wrong​

Risk: Firmware incompatibility prevents OS‑side certificate updates​

If firmware prevents OS‑initiated changes to KEK/DB variables, Windows Update cannot complete the certificate replacement. That yields an exposure where the device will not trust future pre‑boot updates and might, in some scenarios, be unable to apply essential boot‑time fixes. Mitigation: validate firmware and apply OEM UEFI updates that explicitly support the 2023 CA family.

Risk: DBX revocations cause unexpected non‑booting devices​

If administrators accept a DBX entry revoking an old CA before verifying all necessary components are in place (for example, before images and third‑party bootloaders have been re‑signed), some systems may fail to boot. Mitigation: stage revocations carefully in later rollout phases, validate on numerous hardware models, and keep recovery images ready.

Risk: Air‑gapped or privacy‑sensitive devices miss automatic update path​

Devices that do not share diagnostic data with Microsoft or that are intentionally isolated may not receive Microsoft‑managed certificate pushes. Mitigation: prepare offline MSU / DISM processes and test repeatable offline procedures with vendor firmware coordination.

Risk: Third‑party software and Linux shim incompatibility​

Some third‑party bootloaders and Linux shim binaries may be signed with the older CA and require maintainer action. Mitigation: coordinate with OS vendors and distribution maintainers; for critical dual‑boot fleets, consider temporary measures or firmware updates that permit new CA acceptance.

Why the update cadence and SSU bundling matter for admins​

Microsoft’s practice of bundling Servicing Stack Updates with cumulative or preview packages improves installation reliability by ensuring the component that performs installations is itself up to date. The downside: SSUs are effectively permanent once applied, which makes careful testing essential before wide deployment. This is particularly relevant when a cumulative or preview package also contains pre‑boot or certificate changes that interact with firmware behavior. Test pilots become more important, not less.

Independent perspective and cross‑checks​

Microsoft’s own KB and FAQ pages are the canonical technical references for the certificate rollover and the rollout mechanics. Independent coverage from Windows‑focused press and technical outlets has repeatedly corroborated the key timeline (June 2026 for the 2011 CA expirations and October 2026 for the bootloader PCA expiry) and highlighted the firmware/OEM coordination challenge as the central operational unknown. Collectively, these sources make the risk profile clear: the software side is being addressed now, but field readiness hinges largely on OEM firmware availability and validation.
Because the situation is inherently multi‑vendor and firmware‑dependent, certain edge‑case claims (for example, exact percentages of devices that will fail without OEM updates) are not verifiable without internal OEM telemetry; such claims should be treated with caution. Where Microsoft provides specific guidance and dates, those are authoritative; where media reporting extrapolates potential scale or impacts, those are useful but not a substitute for inventory‑level testing.

Quick reference: immediate actions (one‑page checklist)​

  • Keep Windows Update enabled for consumer devices and ensure diagnostic/update channels are not blocked.
  • Inventory systems with Secure Boot enabled; capture OEM, firmware version, and whether UEFI variable writes are permitted.
  • Pilot the September preview (KB5065790) in a test ring that mirrors your fleet.
  • Coordinate with OEMs for tested UEFI firmware that supports 2023 CA family updates.
  • Prepare offline update packages and validate DISM / Add‑WindowsPackage workflows for air‑gapped systems.
  • Stage DBX revocations only after confirming all necessary images and bootloaders are re‑signed and accepted.

Conclusion — what every Windows administrator and advanced user should take away​

The September 2025 non‑security preview updates for Windows 11, version 23H2 (KB5065790) are routine quality fixes, but they arrive with an urgent, cross‑cutting advisory: a long‑planned Secure Boot certificate rollover poses a tangible operational deadline. Microsoft’s timeline — certificate expirations beginning in June 2026 and the bootloader certificate expiring in October 2026 — is fixed and public, and the vendor is already delivering OS‑side changes to move devices to the 2023 CA family. The remaining unknown is not Microsoft’s willingness to push updates, but how many devices in the real world have firmware that will accept those changes without OEM intervention.
Action now reduces the risk later. Inventory, pilot, coordinate with OEMs, and rehearse offline update scenarios. For many consumer devices the transition will be automatic; for enterprises, air‑gapped systems, Linux dual‑boot environments, and older hardware, the work is yours. The clock is already running — plan and test now so your users and services aren’t surprised when the expiration window arrives.
(Important technical notices and update summaries referenced in this article were drawn from Microsoft’s public KB pages and the Windows Insider release notes, with corroboration from industry reporting and forum‑level testing summaries.)
Source: Microsoft - Message Center September 23, 2025—KB5065790 (OS Build 22621.5984) Preview - Microsoft Support
 

Microsoft has warned enterprise IT teams that the root Secure Boot certificates baked into most Windows devices since 2012 will begin expiring in 2026, and it is rolling out a new 2023 certificate chain to prevent boot‑time security updates from failing — a change that requires coordinated action by device owners, OEMs, and firmware vendors to avoid losing the ability to patch boot components or to inadvertently block newly signed boot loaders and option ROMs.

IT technician in a blue coat monitors a shield-graphic display in a data center.Background​

Secure Boot is a UEFI firmware feature that prevents unsigned or improperly signed pre‑boot code from running on a device. The firmware stores three key variables — the signature database (DB), the revoked signatures database (DBX), and the Key Enrollment Key (KEK) — which together determine which bootloaders, option ROMs, and EFI executables the platform will trust. Microsoft has historically supplied a set of CA certificates that OEMs include in the firmware; those same Microsoft certificates are used to sign Windows boot components and are relied upon by many third‑party OS boot chains (for example, Linux shim-based flows).
Over a decade old, the 2011 Microsoft UEFI certificates are time‑bound. Microsoft’s guidance and the Windows IT Pro communications make two points that are simple but critical: the 2011 certificates begin to expire in June 2026 (some Windows‑signing certificates expire in October 2026), and devices that are not transitioned to the 2023 certificates before those dates may lose the capability to receive Secure Boot‑related security updates — a risk that can leave the pre‑boot environment unpatchable and exposed.

Which certificates and when​

  • Microsoft Corporation KEK CA 2011 — expires June 2026; replacement: Microsoft Corporation KEK CA 2023, stored in KEK, used to sign DB and DBX updates.
  • Microsoft UEFI CA 2011 — expires June 2026; replacement: Microsoft UEFI CA 2023 (and a separate Microsoft Option ROM UEFI CA 2023) stored in DB to sign third‑party boot loaders, EFI apps, and option ROMs.
  • Microsoft Windows Production PCA 2011 — expires October 2026; replacement: Windows UEFI CA 2023, stored in DB and used to sign the Windows bootloader and boot components.
These dates and the certificate mapping are the load‑bearing facts that drive the operational timeline; Microsoft has stated that both the 2011→2023 replacement and the phased rollout must complete before the expiry windows to preserve Secure Boot continuity.

What Microsoft is offering and how it affects IT‑managed devices​

Microsoft’s public guidance splits the world into two broad operational models: (A) devices where Microsoft can manage updates (the recommended, mostly automated path) and (B) IT‑managed or air‑gapped environments where administrators control updates themselves. For many organizations, the practical choice will be a mix of both approaches depending on policy, regulatory constraints, and the presence of sensitive or isolated systems.

Option 1 — Microsoft‑managed (automated) rollout​

For a large portion of consumer and managed enterprise devices, Microsoft will deliver the new 2023 certificates via Windows Update. To participate in the Microsoft‑managed rollout IT administrators must allow required Windows diagnostic telemetry (Universal Telemetry Client / required diagnostic level) and opt devices into the Microsoft managed stream. Microsoft groups devices by firmware and hardware profiles and deploys updates gradually, monitoring telemetry for regressions so it can pause rollouts if a widespread problem is detected.
Microsoft provides a registry opt‑in key for tenant or device level control for devices under IT management:
  • Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
  • Key name: MicrosoftUpdateManagedOptIn (DWORD)
  • Recommended DWORD value: 0x5944 (indicates device may be updated in a way that preserves current security profile and updates boot manager trust).
This path reduces the manual burden for many fleets, but it requires changing telemetry policies — an organizational policy decision that privacy‑sensitive or regulated environments may not accept.

Option 2 — Self‑service or partially automated solutions​

For enterprise environments that cannot send telemetry (for example, air‑gapped manufacturing systems, sensitive government devices, or strict privacy environments), Microsoft is evaluating and will publish self‑service and partially automated guidance and tooling. In the interim, Microsoft has published manual DB/KEK update steps and a GitHub repo with Secure Boot object content that organizations can use to build their own update processes. These are explicitly intended for IT professionals who will plan, test, and deploy Secure Boot variable updates in their own change control windows.

Technical realities and operational gotchas​

The method Microsoft uses to deliver the certificate updates matters: Windows Update installs the new certificates into the active KEK/DB variables in firmware. Active variables can be overwritten or cleared if Secure Boot is toggled off, or if firmware resets defaults. That means an update pushed via Windows Update may not be persistent across a firmware default reset unless the OEM also writes the new certificates into the firmware default variables via a UEFI firmware (BIOS/UEFI) update. Microsoft is coordinating with OEMs to deliver firmware updates that embed the 2023 certificates into default variables, which is the only reliable way to make the change persistent across firmware resets.
Practical consequences:
  • If a device’s firmware never receives the 2023 certificates in its defaults, toggling Secure Boot Off → On or resetting firmware to defaults can remove the Windows‑delivered active updates. That would leave the device with only the old 2011 certs (or none), potentially blocking future Secure Boot updates.
  • Applying certificate updates without appropriate OEM firmware and driver validation can trigger BitLocker recovery, cause pre‑boot signing mismatches, or in the worst case render a device unbootable if keys or signatures don’t match expected values. Administrators must suspend BitLocker and back up recovery keys before attempting firmware or UEFI variable changes.
  • Virtual machines and cloud IaaS: Hypervisors that present UEFI to guests (Hyper‑V, VMware, and cloud platforms) must also update their guest firmware or platform metadata to expose the new CA entries; consult your hypervisor or cloud provider.
Industry commentary and vendor advisories reinforce these points: major OEMs such as Dell have already identified affected server generations and are scheduling firmware updates to add the 2023 certificates into firmware defaults, and third‑party analysis warns that Linux distributions and other non‑Windows boot flows using Microsoft‑signed shims will need to coordinate re‑signing and acceptance of the 2023 CAs.

Risk analysis: strengths and weaknesses of Microsoft’s approach​

Strengths​

  • Centralized remediation for most devices. Rolling the change through Windows Update and grouping by firmware profile simplifies the majority path and reduces manual effort for most organizations.
  • Phased, telemetry‑driven rollout. Microsoft’s plan to group devices and pause rollouts when telemetry indicates a problem is the right risk mitigation approach for a platform‑wide change of this kind.
  • Better signing granularity. Separating bootloader signing from option ROM signing (introducing a dedicated Option ROM CA 2023) provides finer trust control and reduces the blast radius when choosing what third‑party pre‑boot code to trust.

Weaknesses and operational risks​

  • Firmware dependency. The biggest operational blocker is OEM firmware. If OEMs don’t ship updates for older models (or older server generations are out of service), those devices may require manual intervention or retirement. This is a real problem for long‑lived industrial controllers and some server platforms.
  • Telemetry opt‑in friction. Organizations that intentionally restrict telemetry cannot use the Microsoft‑managed path without changing telemetry posture or using the self‑service approach, which increases friction and administrative overhead.
  • Potential for boot and recovery failures. Updating Secure Boot variables is not a zero‑risk operation: BitLocker recovery, driver signing mismatches, or broken recovery media can surface if testing and sequencing aren’t tightly controlled.
Given these trade‑offs, the safest posture is to treat the certificate transition as a programmatic change project rather than a single‑patch event: inventory, prioritize, stage, test, and execute.

Recommended, pragmatic action plan for IT teams (prioritized)​

The following checklist is a pragmatic, sequenced plan that condenses Microsoft guidance and community best practice into operational steps IT teams can follow now.
  • Inventory and classify devices (2–4 weeks)
  • Identify endpoints, laptops, desktops, servers, and VMs that use UEFI/Secure Boot. Record OEM, model, firmware/BIOS version, Windows build, and whether Secure Boot is enabled. Use existing CMDB/asset inventory or Intune/ConfigMgr reports.
  • Confirm Secure Boot status on representative devices (2 weeks)
  • Use System Information (msinfo32 → System Summary → Secure Boot State) or PowerShell: run Confirm‑SecureBootUEFI in an elevated session to return True/False. This verifies whether Secure Boot is enabled and whether the device will accept variable updates.
  • Check OEM firmware availability (weeks 1–8)
  • Contact OEMs or consult vendor support pages to find firmware updates that add the 2023 certificates into the firmware default variables. Prioritize servers and any systems lacking recent firmware support. Vendors have different timelines; some OEMs have publicly posted plans for affected server generations.
  • Prepare recovery posture and test environment (weeks 2–8)
  • Rebuild recovery USBs and installation media after vendor updates, and ensure those media are signed/compatible with the new Windows UEFI CA 2023 where necessary. Backup BitLocker recovery keys and suspend BitLocker during firmware changes.
  • Pilot certificate updates in a controlled ring (weeks 4–12)
  • Create a test group representing major OEM models, firmware versions, and critical apps. Validate boot flows, BitLocker, pre‑boot trusted tools, and recovery scenarios. Use Windows Update, WUfB, or manual MSU installs as needed.
  • Decide on Microsoft‑managed opt‑in vs self‑service deployment (weeks 4–12)
  • For devices you permit to send required diagnostic data, opt into Microsoft‑managed updates by enabling the required diagnostic data level and/or setting the MicrosoftUpdateManagedOptIn registry value (DWORD 0x5944) via MDM/GPO for scale. For locked environments, assemble a tested manual deployment process.
  • Roll out broadly with monitoring and rollback plans (weeks 8–16)
  • Deploy in waves, monitoring telemetry and endpoint health. Keep vendor firmware and recovery notes at the ready; be prepared to pull a rollout or isolate a firmware family if problems emerge.
  • Special cases: virtualized, Linux, and air‑gapped systems
  • Coordinate with cloud and hypervisor vendors for guest firmware updates. For Linux distributions that rely on shims signed by Microsoft, coordinate with distro maintainers and ensure signed binaries are available for the 2023 CA chain. For air‑gapped systems, follow the manual DB/KEK update steps and maintain a secure, auditable process for updating firmware variables.

Tactical commands and sample checks​

  • Check Secure Boot via System Information: run msinfo32 and look for “Secure Boot State” in System Summary.
  • PowerShell check (run elevated): Confirm‑SecureBootUEFI — returns True if Secure Boot is enabled.
  • Registry opt‑in (to enable Microsoft‑managed updates): set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\MicrosoftUpdateManagedOptIn (DWORD) = 0x5944 (use Group Policy preferences, PowerShell, or Intune device configuration to set at scale). Set this only after reviewing privacy/telemetry policy.
Example PowerShell to set the registry value (run elevated):
  • New‑Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -ErrorAction SilentlyContinue
  • Set‑ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "MicrosoftUpdateManagedOptIn" -Value 0x5944 -Type DWord
(Adapt to your change control, test in lab first.)

Special considerations and cautions​

  • Do not rely on a single method for critical devices. You may need a hybrid strategy: accept Microsoft‑managed rollouts for general‑purpose endpoints while applying manual firmware and DB/KEK changes for isolated or regulated systems.
  • Firmware writes are device‑specific. If an OEM does not supply a firmware update that writes the 2023 certs into defaults, the long‑term solution is either coordinated manual management or device replacement. Expect uneven OEM coverage across older consumer and enterprise hardware.
  • BitLocker and TPM interaction: changing pre‑boot signing or firmware variables can trigger BitLocker recovery. Suspend BitLocker where appropriate and ensure recovery keys are stored and tested.
  • Linux and alternative OS users must track shim and kernel signing changes. Several community and distribution‑level advisories already warn about the compatibility window for shim re‑signing and firmware updates.
Where Microsoft’s public guidance leaves gaps (for example, the exact OEM firmware schedules for every model), treat those items as unverifiable until the OEM publishes an explicit plan and place them into a vendor follow‑up bucket with clear escalation steps. This is especially true for off‑warranty or older hardware where firmware updates may be unavailable.

Conclusion — what IT leaders must prioritize now​

The Secure Boot certificate transition is not a distant theoretical issue: the 2011 CA expirations begin in June 2026, and the consequences of inaction include losing the ability to deliver Secure Boot fixes, blocking newly signed boot components, and exposing pre‑boot attack surfaces. The correct organizational response is immediate triage: inventory, test, coordinate with OEMs, and choose the right deployment model for each device class. For many organizations, the fastest path to continuity will be opting into Microsoft’s managed rollout for eligible devices and staging OEM firmware updates for persistence; for others, a carefully governed manual process will be necessary. Either way, plan and test now — treat this as a firmware and deployment program, not a single‑patch event.
This guidance synthesizes Microsoft’s KB guidance and rollout notes together with vendor advisories and community reporting to provide an actionable, security‑first plan for enterprise IT teams managing Windows devices.
Source: Microsoft Support Windows devices with IT-managed updates - Microsoft Support
 

Microsoft’s guidance that several Secure Boot certificates issued in 2011 will begin expiring in mid‑2026 has become an operational imperative: organizations and power users must prepare now to accept the new 2023 certificate family, or risk losing the ability to receive pre‑OS security fixes and to trust newly signed boot components. Microsoft will attempt to deliver these updates via Windows Update for many devices that are managed by Microsoft and sharing diagnostic data, but the update is not guaranteed in every environment — the customer remains responsible for ensuring certificate rollover completes successfully.

A futuristic neon-blue server with glowing circuit panels in a data center.Background / Overview​

Secure Boot is a UEFI‑level trust mechanism that prevents untrusted code — bootkits, unsigned bootloaders, and malicious option ROMs — from executing before the operating system starts. Trust is expressed through firmware‑resident keys and certificate authorities stored in four core UEFI variables: PK (Platform Key), KEK (Key Exchange/Enrollment Key), DB (Allowed signatures), and DBX (Revoked signatures). The United States and global device ecosystem rely on these keys to validate pre‑boot binaries and to accept or reject updates to that trust material.
Several Microsoft‑issued CAs used in those databases were created in 2011 and carry finite lifetimes. Microsoft has published a coordinated replacement plan using a new family of 2023 certificates (for example, Microsoft Corporation KEK CA 2023, Windows UEFI CA 2023, Microsoft UEFI CA 2023, and Microsoft Option ROM UEFI CA 2023). The first set of expirations begins in June 2026 (KEK and several UEFI CA certs) and an important Windows bootloader signing CA expires in October 2026. Devices that fail to receive the new CAs before these dates will still boot in most cases, but they will stop receiving Secure Boot and Boot Manager security updates, a situation that degrades platform security and long‑term patchability.
Why this matters in plain terms:
  • Secure Boot updates (boot manager updates, DB/DBX changes) are signed and verified against the trusted CA set. If those CAs expire, future updates cannot be validated.
  • Without an updatable trust anchor, revocations and mitigations for pre‑OS threats (including high‑profile bootkits) cannot be reliably delivered to affected devices.
  • Some remediation steps (notably adding revocations to DBX) can be effectively permanent once accepted by device firmware.
These are not theoretical risks: Microsoft’s rollout and mitigation guidance is deliberately staged because incorrectly applying DB/DBX or boot manager changes without firmware readiness can cause dual‑boot issues, BitLocker recovery prompts, or worse, unbootable systems if recovery media are not updated.

Microsoft‑managed vs IT‑managed update paths​

Microsoft‑managed delivery (consumer and many enterprise scenarios)​

Microsoft will deliver the 2023 certificates and the updated boot manager through Windows Update for many devices that meet two conditions: the device is running an in‑support Windows build that Microsoft’s update tooling can target, and the device is sharing the required diagnostic data with Microsoft so the managed rollout can identify and update it. For many consumer devices this will be the default update path; for organizations using Microsoft Cloud/Intune and allowing diagnostic data that enables Microsoft management, the company will attempt automated delivery as well.
Key points for Microsoft‑managed updates:
  • Devices must be on supported Windows versions that Microsoft has enabled for the managed rollout. Not all supported builds are in scope for automatic updates.
  • Diagnostic telemetry must be permitted and reachable; corporate firewalls or privacy policies that block telemetry may prevent the device from being included.
  • OEM firmware must allow OS‑initiated writes to UEFI variables (some firmwares refuse or filter such writes), and firmware bugs can stop the update entirely. In such cases, manual or OEM firmware updates will be required.

IT‑managed and air‑gapped environments​

If devices are managed by an enterprise IT department and telemetry is not shared with Microsoft, administrators must use Microsoft’s published guidance and tooling to orchestrate updates. Supported management channels include:
  • WSUS / SCCM / Configuration Manager
  • Windows Update for Business / Intune
  • Offline/air‑gap workflows using MSU packages, DISM, or scripted registry controls
Microsoft has published registry opt‑in guidance for organizations that want the Microsoft‑managed path to take effect where applicable — the MicrosoftUpdateManagedOptIn DWORD under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot (value 0x5944 to opt in) — but changing telemetry or registry settings has privacy and policy implications and should be weighed by security teams.

The multi‑step rollout: technical sequence and why order matters​

Microsoft and OEM guidance make the rollout deliberately sequential because the wrong order can break updateability or enable rollback attacks. The high‑level sequence is:
  • Add the new 2023 CA to the device DB (Allowed signatures) and the KEK (so future DB/DBX updates can be authorized).
  • Deploy a Boot Manager signed by the Windows UEFI CA 2023 so that new pre‑boot components are trusted.
  • (Optional but recommended) Add the older 2011 CA to DBX to revoke the old trust anchor and prevent attackers from re‑introducing old, vulnerable boot managers.
  • Apply a Secure Version Number (SVN) firmware update to enforce non‑rollback protections.
Each step must be validated before proceeding to the next; DBX revocations and SVN increases can be difficult or impossible to revert without deep recovery steps. That permanence is why vendors emphasize staged testing on representative hardware families before mass rollout.
Practical registry and deployment controls (examples from Microsoft guidance):
  • Add Windows UEFI CA 2023 to DB: set AvailableUpdates = 0x40 (HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot), then restart twice and verify presence with Get‑SecureBootUEFI (PowerShell).
  • Install 2023‑signed Boot Manager: set AvailableUpdates = 0x100 and restart as directed.
  • Apply DBX revocations and SVN updates through subsequent registry flags and cumulative updates.
Because the update touches firmware variables and boot components, the update flow is packaged inside Windows servicing updates (SSU/LCU/CU) and sometimes exposed as KB articles that instruct administrators how to trigger specific steps in controlled deployments. Test devices, updated recovery media, and BitLocker key backups are essential prerequisites before applying the sequence broadly.

Verifying successful updates: concrete checks administrators can run​

After applying steps, validate the environment using system tools:
  • Confirm the DB contains the 2023 CA:
  • PowerShell (as Administrator): [System.Text.Encoding]::ASCII.GetString((Get‑SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'. A True result indicates the DB entry exists.
  • Validate Boot Manager signature:
  • Mount the EFI system partition (mountvol S: /S), copy bootmgfw.efi and check its digital signatures in the file properties dialog or with sigcheck/powershell to confirm the chain includes Windows UEFI CA 2023.
  • Check DBX for revoked 2011 CA:
  • Similar PowerShell tests exist to examine DBX contents and confirm the 2011 CA is present there if revocation has been applied.
  • BitLocker: back up recovery keys and suspend BitLocker if firmware updates or Secure Boot policy changes will affect PCR[07] or other measured boot PCRs. Microsoft’s OEM guidance explicitly calls out suspending/pausing BitLocker when applying firmware changes to avoid unexpected recovery prompts.
These are the exact validation commands and workflows Microsoft includes in several KB articles and deployment notes; incorporate them into your test plan rather than skipping verification.

Known failure modes, incompatibilities, and operational risks​

Microsoft and independent commentators have cataloged several scenarios where the OS‑side certificate update may not apply cleanly or at all:
  • Firmware that refuses OS‑initiated variable writes or restricts changes to KEK/DB/DBX will block update application; many OEM firmware teams must publish firmware updates in tandem.
  • Firewall or telemetry blocking: if required diagnostic data isn’t reaching Microsoft (corporate firewall rules, proxy filtering, or telemetry policies), Microsoft’s managed rollout may skip the device. Customers must ensure telemetry routing or use alternate IT‑managed workflows.
  • BitLocker recovery triggers: changing boot components or firmware settings can trigger BitLocker into recovery mode. If recovery keys are not available, restoring access can be time‑consuming or impossible without vendor support. Back up keys before making changes.
  • Unbootable recovery or installation media: If recovery or installation USB media don’t contain updated certificates and a device needs recovery after an SVN increase or DBX revocation, the device may refuse to boot older media. Updating recovery media and deployment images is mandatory.
  • OEM‑specific quirks: certain OEM features (for example, HP’s Sure Start protections or early Arm64 firmware implementations for Qualcomm platforms) have required vendor firmware adjustments. Administrators should consult OEM guidance and firmware release notes; in some cases, the OEM firmware update must precede the OS‑side certificate update.
Independent reporting and community testing have shown real‑world edge cases where updates either did not apply or caused unexpected behaviors, reinforcing the advice to run representative testing per device model before wide rollout.

Practical deployment checklist for administrators (ordered)​

  • Inventory devices by firmware vendor, model, and current Secure Boot DB/KEK contents.
  • Verify Windows servicing baseline: ensure devices have the required SSU/LCU/CU releases that include Secure Boot update functionality.
  • Back up BitLocker recovery keys and verify recovery procedures for all affected devices.
  • Update recovery and installation media to include the 2023 certificates or to handle SVN changes.
  • Identify representative test devices for each hardware/firmware family and run the full multi‑step rollout there, checking DB, Boot Manager signature, DBX, and SVN at each stage.
  • Coordinate with OEMs: confirm firmware updates exist and test their interaction with the OS‑side flow; do not apply DBX revocations until firmware readiness is confirmed.
  • For Microsoft‑managed rollouts, confirm diagnostic telemetry settings and registry opt‑in (if using MicrosoftUpdateManagedOptIn), and confirm telemetry is not blocked by network policy.
  • Roll out in waves, monitor telemetry and device health, and ensure rapid rollback/recovery plans are available for any device models that exhibit failures.

Guidance for power users and small IT shops​

  • Keep Windows Update enabled and ensure devices are on a supported build; many consumer devices will receive the 2023 certificates automatically if telemetry and OS build requirements are met.
  • If you manage a small fleet, use Windows Update for Business or manual KB packages and follow the KB instructions for AvailableUpdates flags to control DB/Boot Manager/DBX steps.
  • Always export and store BitLocker recovery keys (Microsoft Account, Azure AD, AD DS, or offline vault) before applying updates that touch boot components or firmware variables.
  • If you use Linux or dual‑boot, be aware that some Linux boot shim/packages will now be signed with 2023 CA keys; if firmware doesn’t have the 2023 CA, installers or shims may fail. Coordinate with your distribution’s guidance and OEM firmware updates.

What Microsoft will and won’t do — read the fine print​

Microsoft’s FAQ and supporting KBs state clearly: Microsoft will attempt to update Secure Boot certificates automatically for devices that are Microsoft‑managed and that share diagnostic data, but there are explicit exceptions and limitations. Examples Microsoft lists include:
  • Only certain in‑support Windows builds are included in the managed flow.
  • Diagnostic data may be blocked by organizational network controls.
  • Firmware issues on the device may prevent updates from applying.
The net result: organizations cannot assume complete automation. Microsoft’s managed rollout lowers friction for many devices, but customers — especially IT‑managed fleets, air‑gapped systems, and devices with OEM quirks — must own the update process and test and remediate where Microsoft’s update does not apply.

Cross‑checking claims: independent verification and supporting evidence​

To ensure recommendations are verifiable, the principal technical claims above are corroborated by multiple, independent documents:
  • Microsoft’s central, canonical guidance on the certificate expirations and their replacements is published on Microsoft Support and the Hardware Dev Center, which detail the certificate names, expiry windows (June and October 2026), and the staged rollout.
  • KB articles such as KB5036210 and KB5025885 document the specific registry flags, restart requirements, verification commands, and the SVN/DBX sequence used in deployments. These KBs give the exact instructions administrators must follow to apply DB, Boot Manager, and DBX updates.
  • Independent reporting and community experiments (journalism, vendor advisories, forum posts) echo the operational risks — BitLocker recovery, OEM firmware readiness, and the need for updated recovery media — making the guidance actionable beyond vendor statements.
Where claims could vary by hardware or by later Microsoft policy changes (for example, whether additional Windows SKUs get automatic support), those variabilities are explicitly flagged in the guidance and must be tested in‑house. If any specific OEM or firmware behavior is not documented publicly, assume manual remediation and contact the vendor; do not rely on the automated Microsoft pathway alone.

What to watch next and recommended timeline​

  • Immediate (next 30–90 days): Inventory, backup BitLocker keys, update recovery media, and identify representative test devices by OEM and model. Confirm Windows servicing baseline for those devices.
  • Short term (3–6 months): Begin staged testing of DB and boot manager updates on representative devices; coordinate firmware updates with OEMs and validate that DBX revocations do not break recovery scenarios.
  • Ongoing through mid‑2026: Monitor Microsoft’s Secure Boot rollout pages and the Hardware Dev Center for submission/signing policy changes and for the final enforcement schedule; expect Microsoft to give at least six months’ notice before enforcement windows begin.
Microsoft’s overall admonition is clear: update well before June 2026 for the first expiry window; delaying increases operational and security risk.

Final analysis — strengths, gaps, and risks​

Strengths of Microsoft’s approach:
  • A staged, documented rollout that is integrated into Windows servicing and that provides KB‑level controls for IT teams reduces mystery and enables controlled deployment.
  • Multiple delivery pathways (Microsoft‑managed via Windows Update, IT‑managed via WSUS/Configuration Manager/Intune, and offline MSU/DISM flows) let organizations choose the method aligned to their security posture.
  • Technical mitigations (SVN, DBX revocations) add real security value by preventing rollbacks and enabling revocations of known‑bad pre‑OS components.
Key gaps and risks:
  • Dependence on OEM firmware readiness — many behaviors and corner cases are firmware specific; without OEM updates some devices cannot accept the new certificates.
  • Potential for recovery failures — BitLocker prompts, unbootable recovery media, and permanent DBX revocations demand careful testing and key management discipline.
  • Telemetry and corporate policy friction — Microsoft’s automated updates require diagnostic data in some Microsoft‑managed scenarios; enterprises with strict telemetry or firewall policies may be excluded from automated delivery and must run alternative update processes.
Cautionary note: while Microsoft’s documentation and KBs define exact registry flags and verification commands, hardware variability means that practical execution will differ by OEM and by device family. Administrators and power users should treat Microsoft’s documented steps as the canonical procedure but validate them against their device fleet before broad application.
Secure Boot certificate rollover is a high‑impact, time‑bound operational challenge. The technical controls Microsoft provides are precise and actionable, but they rely on firmware cooperation, careful sequencing, and robust testing practices. Organizations that prepare now — inventorying devices, backing up BitLocker keys, coordinating with OEMs, and validating the staged steps on representative hardware — will preserve boot‑level security and avoid emergency remediation or unplanned downtime as the June and October 2026 expirations approach.
Source: Microsoft - Message Center Frequently asked questions about the Secure Boot update process - Microsoft Support
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Urgent Windows Update: Secure Boot Certificates Expire in June 2026 – What You Need to Know
Replies
2
Views
664
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Secure Boot Certificate Rollover 2026: Plan Now to Safeguard UEFI Boot
Replies
0
Views
203
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Secure Boot 2023 CA Update: Windows UEFI Certificates Rollout Explained
Replies
3
Views
593
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Secure Boot Certificate Expiration: Critical Windows Update Preparedness for 2026
Replies
0
Views
416
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Secure Boot Certificate Expiration 2026: Critical Prep for Windows Ecosystem Security
Replies
0
Views
550
ChatGPT
ChatGPT
Back
Top