TECHFIXBK BLOG
Secure Boot Expiration: June 2026 Certificate Crisis
Secure Boot Expiration: June 2026 Certificate Crisis
Microsoft sounds the alarm: Secure Boot certificates expire in June 2026. Discover how this affects your Windows PC and the steps needed to stay secure.
Millions of PCs rely on 2011-era security certificates. Learn how to update your system before the 2026 deadline to avoid security degradation.
Hook & Who This Is For
Millions of PCs manufactured since 2012 rely on security certificates from 2011 that are reaching their end of life [8][16]. This guide explains how to ensure your device remains secure and bootable before the 2026 deadline.
Hook & Who This Is For
Since 2011, the foundation of Secure Boot has relied on the same set of digital certificates to verify that your operating system has not been tampered with [3][4]. However, these original 2011-era certificates are scheduled to begin expiring in June 2026 [3][8][16]. If a system is not updated with new 2023-era certificates before this deadline, it may eventually lose the ability to boot newer operating systems or receive critical security mitigations [3][4][13].
This transition is a significant "generational refresh" for the Windows ecosystem, affecting nearly every modern PC [15]. While most automated systems will handle this update in the background, understanding the timeline is vital for maintaining system integrity and compliance [8][18].
Who This Is For
This article is designed for:
- Windows 10 and Windows 11 home users who want to ensure their hardware remains supported [14][16].
- IT administrators managing fleets of physical or virtual machines that require manual update oversight [18].
- Users concerned about long-term system stability and protection against boot-level threats like the BlackLotus bootkit [15][16].
What Is Not Covered
This guide focuses specifically on the Microsoft-led certificate rollout for the Windows ecosystem [14]. It does not cover:
- Linux-only hardware: Devices running only Linux distributions are outside this scope, though Windows will update certificates for dual-boot systems [16].
- Apple Hardware: While macOS is technically affected by Secure Boot CAs in some configurations, it is outside the scope of Microsoft support [16].
- Legacy Bios: Only systems using UEFI with Secure Boot enabled are affected [3][6].
TL;DR / What This Means for You
Microsoft is currently replacing its original Secure Boot certificates, which have been the foundation of PC startup trust since 2011 [3][15]. These 15-year-old certificates are set to expire beginning in June 2026, requiring a transition to updated 2023 versions to maintain system security and functionality [2][10][18].
For most users, this transition is expected to be handled automatically through Windows Update and manufacturer firmware updates [4][8]. However, proactive verification is recommended to ensure your hardware remains compatible with future security patches and operating system versions [13][14].
Key Insights
- Expiration Timeline: The original Microsoft certificates (KEK and DB) begin expiring in June 2026, with others following in October 2026 [1][10][16].
- Affected Systems: Nearly all Windows-based devices manufactured since 2012 are potentially affected, including both physical hardware and virtual machines [10][12][18].
- Security Risk: Failing to update may leave devices vulnerable to bootkit malware, such as BlackLotus, and prevent the installation of future security mitigations [2][5][15].
- Automatic Deployment: Managed Windows devices and those receiving regular updates will likely receive the new certificates without user intervention [4][11][15].
Recommended Actions
- Keep Windows Updated: Ensure your system is receiving the latest cumulative updates, as Microsoft is using these to deliver the new 2023 certificate authorities (CAs) [8][11][16].
- Install Firmware Updates: Check your PC manufacturer’s website or support app for BIOS/UEFI updates, as these often contain the necessary certificate foundations [11][14][15].
- Verify Secure Boot State: Use the
msinfo32command to confirm that Secure Boot is "On" to ensure your device can receive and process these updates [13]. - Audit Older Hardware: Systems from 2019 or earlier may require manual verification to confirm they have enough memory (NVRAM) to store the new certificates [4][14].
Risk Note: While your PC will likely continue to boot existing software after the certificates expire, it will enter a "degraded security state" that may eventually prevent it from loading newer operating systems or critical security fixes [4][15].
Key Sources (Quick Links)
- Safer Internet Day 2026: Helping students be AI aware | Microsoft Education Blog [1]
- Building a safer digital future, together [2]
- Windows' original Secure Boot certificates expire in June—here's wh... [3]
Background / Basics
Secure Boot is an industry security standard designed to ensure that a computer starts up using only software that is trusted by the original equipment manufacturer (OEM) [1][16]. This process begins during platform initialization, where the firmware authenticates specific modules—including UEFI drivers, option ROMs, and boot loaders—before they are allowed to execute [1][5]. By blocking untrusted or malicious code at this earliest stage, the system significantly minimizes the risk of sophisticated attacks like bootkits, which can be difficult for standard antivirus software to detect [3][12].
The foundation of this trust is a hierarchy of cryptographic keys and certificates stored directly in the device's firmware [1][9]. These components act as digital "keys" that the firmware uses to verify the signature of any software attempting to load [3][5]. This hierarchy typically includes the following elements:
- Platform Key (PK): Usually owned by the hardware manufacturer, this serves as the root of trust for the entire system [1][9].
- Key Enrollment Key (KEK): This authorizes updates to the signature databases and often includes keys from both Microsoft and the OEM [1][6].
- Allowed Signature Database (DB): This contains the specific certificates and hashes for authorized boot loaders and drivers [1][18].
- Disallowed Signature Database (DBX): A revocation list used to block known malicious or vulnerable software from starting [1][9].
The Role of Certificate Lifespans
It is a standard industry practice for security certificates to have a fixed lifespan to ensure that cryptographic protections remain robust over time [3][5]. These certificates are not permanent; they are designed to be periodically refreshed to prevent aging credentials from becoming a vulnerability [3]. Current data indicates that the original set of Secure Boot certificates has been in continuous service for approximately 15 years [3][16].
Because these credentials have expiration dates, they must be replaced before they become invalid [2][12]. The primary certificates issued in 2011 are expected to begin expiring in June 2026 [1][6]. If these "keys" are not updated to the newer 2023 versions before the expiration date, the chain of trust may be compromised, potentially leaving the device unable to receive future security mitigations for the boot process [1][8].
Problem Explanation
The Secure Boot infrastructure, which has remained largely unchanged since the release of Windows 8 in 2012, is approaching a critical transition point [4][18]. The digital certificates that form the "root of trust" for millions of PCs are set to expire, beginning a phased lifecycle end that impacts how devices verify software during the startup sequence [12][15].
Starting in June 2026, the original Certificate Authorities (CAs) issued in 2011 will no longer be valid for signing new updates or components [1][18]. While this is a standard industry practice to maintain cryptographic strength, the scale of this specific renewal is significant because these certificates have been the foundation of PC boot security for approximately 15 years [8][12].
What Happens When Certificates Expire?
If a device does not transition to the new 2023-era certificates before the deadline, it will not suddenly stop working. Industry documentation confirms that affected PCs will continue to boot and run existing software normally [3][13]. However, the system enters what is described as a degraded security state [3][4].
In this state, the following issues are expected to emerge:
- Loss of Security Patches: The system will lose the ability to install new security updates for the Windows Boot Manager and other Secure Boot components [1][18].
- Trust Failures: The PC may not trust third-party software, such as hardware drivers or bootloaders, that are signed with the newer certificates after June 2026 [1][9].
- Vulnerability Exposure: As new boot-level threats are discovered, affected devices will remain exposed because they can no longer apply the necessary mitigations or updated revocation lists (DBX) [5][13].
- Compatibility Risks: Over time, newer operating systems or firmware updates may fail to load because the hardware no longer possesses the valid keys to verify them [3][13].
Comparison of Expiring vs. New Certificates
The update involves replacing three core certificates stored in the system's firmware variables, specifically the Key Exchange Key (KEK) and the Signature Database (DB) [1][6].
| Expiring Certificate (2011) | New Certificate (2023) | Expiration Date | Storing Location |
|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK 2K CA 2023 | June 2026 | KEK |
| Microsoft Corporation UEFI CA 2011 | Microsoft UEFI CA 2023 / Option ROM CA 2023 | June 2026 | DB |
| Microsoft Windows Production PCA 2011 | Windows UEFI CA 2023 | October 2026 | DB |
Note: The renewal of the UEFI CA 2011 certificate actually splits into two separate certificates (UEFI CA 2023 and Option ROM CA 2023) to allow for more granular control over system trust [2][15].
The Threat of Bootkit Malware
The primary risk of failing to update is the increased susceptibility to bootkits, such as the BlackLotus UEFI bootkit [1]. Bootkits are particularly dangerous because they run before the operating system even starts, making them difficult or potentially impossible for standard antivirus software to detect [1][12].
Without valid, current certificates, a system may be unable to update its Forbidden Signature Database (DBX), which is the list Microsoft uses to block known malicious or compromised bootloaders [5][15]. This potentially leaves a permanent "open door" for sophisticated cyberattacks that target the earliest stages of the device startup sequence [1][13].
Root Causes / Analysis
The upcoming expiration of Secure Boot certificates is not a technical failure, but a planned security transition. Because Secure Boot operates at the firmware level to ensure only trusted software executes during startup, the underlying "root of trust" must be periodically refreshed to maintain high security standards [6][7].
1. Natural Certificate Lifecycle
Digital certificates are time-limited by design to prevent aging cryptographic credentials from becoming a security weakness [7][12]. The original certificates currently powering the Secure Boot ecosystem were issued in 2011 during the development of Windows 8 [8][18]. After approximately 15 years of continuous service, these certificates are reaching the end of their planned lifecycle and are set to expire between June and October 2026 [4][10][11].
2. Emergence of Advanced Bootkits
Modern cyber threats have evolved significantly since the 2011 standards were established. Sophisticated bootkit malware, such as BlackLotus (CVE-2023-24932), has demonstrated the ability to exploit vulnerabilities in the early boot process that standard antivirus software cannot easily detect [1][16]. Updating to the 2023 Certificate Authority (CA) versions allows Microsoft and hardware partners to implement more robust cryptographic standards and granular trust controls [1][2][5].
3. Coordinated Industry Transition
Refreshing the certificate chain is a massive maintenance effort involving Microsoft and Original Equipment Manufacturers (OEMs) worldwide [4][7]. This transition is a coordinated move between ecosystem partners, including Dell, HP, and Lenovo, to replace the 2011 chain with the new 2023 chain: KEK CA 2023, UEFI CA 2023, and Windows UEFI CA 2023 [4][13]. This shift is intended to ensure that devices remain compatible with future hardware and software updates [3][9].
4. Deprecation of Outdated Standards
The existing 2011 certificates are being phased out because they can no longer support the next generation of security mitigations [6][14]. Industry experts suggest that maintaining these aging standards would leave systems exposed to emerging vulnerabilities as new boot-level threats are discovered [6][9]. By deprecating the 2011 versions, the industry aims to align all supported Windows devices with modern security expectations [7][18].
| Feature | 2011 Certificates (Expiring) | 2023 Certificates (New) |
|---|---|---|
| Introduction | Windows 8 / Server 2012 [18] | Late 2023 / 2024 [1][12] |
| Expiration | June – October 2026 [1][4] | Extended Lifecycle (Estimated 15+ years) |
| Trust Level | Basic third-party signing [1] | Granular control (Option ROM vs. Bootloader) [2][5] |
| Risk Status | Vulnerable to modern bootkits [16] | Supports latest security mitigations [6][12] |
Evidence & Reality Check
Major hardware vendors and official Microsoft documentation confirm that this transition is a standard industry practice [7][12]. Reports from manufacturers like Dell and Lenovo indicate that they have already begun shipping dual certificates on newer platforms to ensure a seamless handover [11][13]. Official Windows IT Pro guidance emphasizes that these updates are necessary to prevent systems from entering a "degraded security state" where they can no longer receive critical boot-level protections [1][3][10].
Evidence & Reality Check
Official documentation from Microsoft confirms that the original Secure Boot certificates, which have been in service since 2012, are reaching the end of their planned lifecycle [15][18]. These certificates are expected to begin expiring in June 2026, with the full expiration of the Windows Production PCA 2011 occurring by October 2026 [4][16]. To maintain system security, Microsoft has officially announced the rollout of the Windows UEFI CA 2023 certificate through standard Windows Updates [15][16].
Industry collaboration is currently underway to facilitate this transition across millions of unique hardware configurations [4][9]. Reports indicate that Microsoft is delivering these updated certificates as part of regular monthly updates to supported Windows devices [4][17]. This large-scale security maintenance effort is designed to ensure that devices can continue to verify trusted boot software and receive critical security fixes for the Windows Boot Manager [4][16].
Major hardware manufacturers have also released specific guidance and firmware updates to support the new certificate standards:
| Manufacturer | Action Taken | Source |
|---|---|---|
| MSI | Released BIOS updates including Windows UEFI CA 2023; provided manual registry update paths for IT admins. | [28][29] |
| Dell | Published platform-specific lists for BIOS updates and validated internal systems for compatibility. | [26] |
| HP | Confirmed firmware updates are in development for all supported Windows 11 PCs to adopt 2023 certificates. | [15] |
Many devices manufactured in 2024 or later may already contain the updated 2023 certificates in their firmware, requiring no further action from the user [6][15]. However, for older systems, the integration of these keys often requires a combination of operating system updates and OEM-specific firmware (BIOS) updates to ensure the hardware can recognize and store the new cryptographic keys [1][11].
Note: While Microsoft intends to manage the update process for a significant portion of Windows devices automatically, certain specialized systems—such as specific server or IoT configurations—may require manual intervention or customized deployment plans [11][15].
The phased rollout approach is informed by broad testing to minimize potential boot disruptions [4][11]. Current data suggests that while devices without the 2023 certificates will continue to operate normally after the 2026 deadline, they will potentially lose the ability to install new security protections for the early boot process, leaving them vulnerable to emerging threats like bootkit malware [15][16].
Self-Check / Diagnosis
Determining whether a system is prepared for the upcoming Secure Boot certificate expiration involves verifying the current boot state and checking for the presence of the updated 2023 certificates. Following these steps can help identify if a device requires manual intervention or a firmware update [3][15].
Step 1: Verify Secure Boot Status
The first requirement is to ensure Secure Boot is currently active. If Secure Boot is disabled, the system cannot update the active certificate variables [10][13].
- GUI Method: Press
Windows + R, typemsinfo32, and press Enter [3][10]. In the System Information window, locate Secure Boot State. It must be set to On [3][10][18]. - PowerShell Method: Open PowerShell as an Administrator and type
Confirm-SecureBootUEFI[18]. If the command returnsTrue, Secure Boot is enabled [18].
Step 2: Check for the 2023 Certificates
Once Secure Boot is confirmed as active, you must check if the Windows UEFI CA 2023 certificate is present in the signature database (db).
- Right-click the PowerShell or Terminal app and select Run as Administrator [3].
- Enter the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')[2][3][6]. - Analyze the Result:
Step 3: Check Firmware (BIOS) Integration
Even if the command in Step 2 returns True, the certificates might only be stored in the NVRAM and not "baked" into the hardware's firmware [1][3]. To check if the BIOS/UEFI itself includes the new certificates, run this command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023') [2].
If this returns False, it is normal for older PCs, but it indicates that a BIOS update from the manufacturer may be required to permanently integrate the certificates [1][2][3]. Newer systems manufactured since 2024 or 2025 typically return True here [2].
Step 4: Audit Windows Update History
Microsoft has integrated refreshed UEFI CA certificates into cumulative updates to facilitate this transition [6]. Users should check their update history for specific patches released after June 2025, such as KB5062710 [6][8].
The successful installation of this update (or later cumulative versions) is intended to deploy the certificates automatically, provided the system's firmware supports certificate injection and Secure Boot is enabled [6]. If the updates are installed but the PowerShell check in Step 2 still returns False, the system's NVRAM may be full or fragmented, potentially requiring a factory reset of Secure Boot keys within the BIOS settings [1][3].
Warning: Before resetting Secure Boot keys in the BIOS, ensure you have your BitLocker recovery key handy, as this process may trigger a recovery prompt [2][3].
Solutions / What to Do
The process for updating Secure Boot certificates varies depending on whether you are a home user or managing a fleet of enterprise devices. For most modern systems, these updates are expected to occur automatically through standard maintenance cycles [6][10].
Beginner-Friendly Steps
For most users, the simplest path to maintaining system security is ensuring the operating system remains current. Microsoft typically manages the certificate update process for a significant portion of Windows devices automatically [10][12].
- Enable Automatic Updates: Ensure Windows Update is active. Many devices will receive updated certificates as part of the regular monthly update process with no additional action required [6][16].
- Check Optional Updates: Periodically check for "Optional Updates" in the Windows Update menu. Some systems may require specific firmware or "driver" updates to support the new certificate database [15].
- Verify BIOS/UEFI Updates: Check your PC manufacturer’s (OEM) support page for the latest BIOS or UEFI updates. Updated firmware is often the foundation for ensuring new Secure Boot certificates are accepted correctly [16][17].
- Monitor Windows Security: In the coming months, the Windows Security App is expected to provide messages regarding the status of certificate updates to help users track progress [6].
Warning: If you choose to manually reset Secure Boot keys in the BIOS to clear space for new certificates, ensure you have your BitLocker recovery key handy. Failing to do so could potentially lead to a loss of data access [1][3].
Advanced Solutions
If a device does not update automatically or returns a false value when checking for the Windows UEFI CA 2023 certificate, manual intervention may be necessary [3].
1. Manual Verification via PowerShell
To determine if your system is already using the new certificates, run PowerShell as an Administrator and use the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If this returns True, the active database is updated [1][3]. To check if the certificates are "baked into" the firmware (allowing them to persist even after a BIOS reset), replace db with dbdefault in the command [3].
2. Specialized Deployment Tools
IT professionals can use the Windows Configuration System (WinCS) CLI or Microsoft Intune to force the deployment of certificates [17][20].
| Method | Target Audience | Requirement |
|---|---|---|
| Microsoft Intune | Managed Organizations | Custom compliance scripts [9][17] |
| WinCS CLI | Advanced Users/IT | WinCsFlags.exe tool [13][20] |
| Registry Keys | Power Users | MicrosoftUpdateManagedOptIn key [15][16] |
| Group Policy | Domain Admins | Enterprise-wide deployment [11][17] |
3. Clearing NVRAM
On older PCs (shipped around 2019–2020), the NVRAM storage may become full or fragmented, preventing new certificates from being stored [3][4]. In these cases, performing a "factory reset" of Secure Boot keys within the BIOS settings can help ensure there is enough free space for the 2023 certificates [1][3].
Risks and Limitations
Manual certificate manipulation carries inherent risks. While these updates are designed to improve the "root of trust," improper implementation can lead to boot failures [12][15].
- Boot Compatibility: If certificates are updated but the Windows Boot Manager is not correctly aligned, the system may fail to trust the bootloader [10][16].
- Unsupported Hardware: Older systems (pre-2019) may not receive firmware updates from manufacturers, potentially limiting their ability to receive security fixes for the Boot Manager by October 2026 [3][16].
- Diagnostic Data: For enterprise systems, Microsoft's automated management often requires "Required" level diagnostic data to be enabled. If firewalls block this data, the automated update may not trigger [7][16].
Experts suggest that if a system is functioning correctly and shows as "updated" in the registry or PowerShell, users should avoid further manual changes to the Secure Boot variables [17][20].
Risks, Limits, and When to Stop
While updating Secure Boot certificates is essential for long-term security, the process involves modifying sensitive firmware variables. If handled incorrectly, these updates can lead to system instability or a failure to boot [11][12].
Critical Risks of Manual Intervention
Manually tampering with UEFI variables or Secure Boot settings carries significant risks. Toggling Secure Boot off or resetting it to defaults may erase the updated 2023 certificates, potentially replacing them with expired 2011 versions stored in the factory firmware [14][16].
On certain devices, selecting options like Expert Key Mode in the BIOS can wipe active variables entirely [14]. Furthermore, if BitLocker encryption is enabled, any change to the Secure Boot state will likely trigger a request for the recovery key [6][14]. Without this key, data access may be permanently lost [6].
Hardware and Firmware Limitations
Not every system can accept these updates seamlessly. Technical limitations that may hinder the process include:
- Full NVRAM: UEFI-based systems use a small amount of NVRAM to store variables. If this storage is full or fragmented, the new certificates cannot be saved [3].
- Buggy Firmware: Some older or unpatched BIOS/UEFI versions may contain bugs that prevent them from accepting certificate handoffs from Windows [3][17].
- Incompatibility: Systems manufactured before 2012 generally do not support these specific Secure Boot updates, as they may not carry the original 2011 certificates required for the transition [1][18].
| Scenario | Potential Impact | Recommended Action |
|---|---|---|
| NVRAM is full | Update fails to apply | Clear old Secure Boot keys in BIOS (requires BitLocker key) [3][6] |
| Toggling Secure Boot | Erases 2023 certificates | Leave Secure Boot enabled if it is already "On" [14][16] |
| Event ID 1795 | Firmware handoff error | Check for OEM firmware/BIOS updates first [17] |
When to Stop and Seek Professional Help
It is generally recommended to stop manual troubleshooting and seek professional hardware-level intervention in the following cases:
- Recovery Loops: If the system enters a "Preparing Automatic Repair" or BitLocker recovery loop immediately after a BIOS update or certificate change [14][17].
- Unfamiliar Interface: If the BIOS/UEFI interface is unfamiliar, as selecting the wrong "Key Management" setting can render the OS unbootable [14].
- Persistent Registry Errors: If the
AvailableUpdatesregistry key fails to clear the0x0004bit after multiple restarts, indicating the Key Exchange Key (KEK) update is stuck [10][17]. - Air-Gapped Systems: Since Microsoft cannot manage updates for air-gapped or highly restricted environments, these systems often require specialized manual deployment strategies [13][16].
Warning: Attempting to force a certificate update on a system with "buggy" firmware can result in a "No Boot" scenario that may require a physical BIOS chip reflash or motherboard replacement [3][14].
FAQ
Will my PC stop working in June 2026?
No, your computer is expected to continue booting and functioning normally after the 2011 Secure Boot certificates expire [4][15][26]. However, if the certificates are not refreshed, the device will enter a degraded security state [10][15]. This means it may no longer receive critical security updates for the Windows Boot Manager or other early-boot components, potentially leaving it vulnerable to emerging threats [15][18]. Over time, you may also encounter compatibility issues with newer hardware, firmware, or operating system versions that require the 2023 certificates to load [4][10].
Does this affect Windows 10?
Yes, this transition impacts Windows 10 devices, but the availability of updates depends on your specific version and support status [4][26]. Microsoft has indicated that it will provide the new 2023 certificates for Windows 10 LTSC 2021 and for devices with an active Extended Security Updates (ESU) license [26][27]. Standard versions of Windows 10 that have reached their end-of-support date typically do not receive these updates through Windows Update, which may eventually limit their ability to receive boot-level protections [4].
Can I just turn off Secure Boot?
While technically possible, disabling Secure Boot is generally not recommended as it significantly increases the risk of boot-level malware, such as the BlackLotus UEFI bootkit [16][18]. Furthermore, toggling Secure Boot off or modifying certain BIOS settings can sometimes erase active certificate variables, potentially requiring a BitLocker recovery key to regain access to your data [26][27]. Many modern applications and security-dependent software may also fail to load or function correctly if Secure Boot is disabled [4][10].
How do I know if my certificates have been updated?
Most Windows devices are expected to receive these certificate updates automatically through the standard Windows Update process [15][16]. You can potentially verify your certificate status by running specific PowerShell commands to check for the presence of the Microsoft Corporation KEK 2K CA 2023 or Windows UEFI CA 2023 [26][27]. If these 2023 versions are present in your system's firmware variables, no further action is typically required [26].
Is there a cost for these new certificates?
There is no direct cost for receiving the updated certificates via Windows Update for supported systems [26][27]. The 2023 Certificate Authorities (CAs) are also provided for free by Microsoft for manual management [26]. However, if your device is out of its official service period and requires a manual BIOS update to support the new certificate chain, some users may incur costs related to professional service engagements or support agreements [26][27].
Summary / Key Takeaways
The transition from the 2011 Secure Boot certificates to the new 2023 versions is a critical security update for the global Windows ecosystem [11][13]. Most modern systems rely on these digital signatures to verify the integrity of the boot process before the operating system loads [11][16].
- Firm Deadlines: The original Microsoft certificates begin expiring in June 2026, with the final components set to expire in October 2026 [13][15][18].
- Security Impact: While affected PCs will likely continue to boot, they will enter a degraded security state [3][4]. These systems will lose the ability to receive critical security fixes for the Windows Boot Manager, leaving them potentially vulnerable to bootkit malware like BlackLotus [1][16][26].
- Automatic Updates: Most users who allow Microsoft to manage their updates will receive the new certificates automatically through standard cumulative update cycles [2][14][15].
- Action Required: It is recommended to verify that Secure Boot is enabled via
msinfo32and to install any available OEM firmware updates, as these often provide the necessary foundation for certificate updates [7][16][27].
| Certificate | Expiration Date | New Version |
|---|---|---|
| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK 2K CA 2023 [16][18] |
| Microsoft UEFI CA 2011 | June 2026 | Microsoft UEFI CA 2023 [15][18] |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 [1][15] |
If you’re unsure, it’s usually cheaper to ask someone once than to fix a mistake later.
Quellen
[1] Safer Internet Day 2026: Helping students be AI aware | Microsoft Education Blog
[2] Building a safer digital future, together
[3] Windows' original Secure Boot certificates expire in June—here's wh...
[4] Refreshing the root of trust: industry collaboration on Secure Boot certifica...
[5] builders.intel.com
[6] Introduction to Key Usage in Integrated Firmware Images
[7] cdrdv2-public.intel.com
[8] cdrdv2-public.intel.com
[9] Firmware Interface Table Introduction - 1.6 - ID:599500 | Firmware Interface ...
[10] INTEL-SA-00127
[11] Intel® CSE Secure Boot (Type 0x10) Rules - 1.2 - ID:599500 | Firmware In...
[12] Configuring Secure Boot — Intel® software for general purpose GPU capab...
[13] community.intel.com
[14] System Setup Guide — Intel® software for general purpose GPU capabiliti...
[15] Windows Secure Boot certificate expiration and CA updates - Microsoft Support
[16] Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog
[17] Secure Boot playbook for certificates expiring in 2026
[18] Secure Boot Certificate updates: Guidance for IT professionals and organizati...
[19] How to verify the Windows Secure boot certificates have been updated. - Micro...
[20] Secure Boot certificates have been updated but are not yet applied - Microsof...
[21] Enable Secure Boot to protect systems from UEFI rootkit ‘CosmicStrand’ | Secu...
[22] ASPEED AST2400 & AST2500 Security Vunerabilities (CVE-2019-6260) | Security &...
[23] Offizieller Support | ASUS Deutschland
[24] Offizieller Support | ASUS Deutschland
[25] zentalk.asus.com
[26] Secure Boot Transition FAQ | Dell US
[27] Secure Boot Transition FAQ | Dell UK
[28] MSI France
[29] MSI Latinoamérica
[30] How to Enable Secure Boot and TPM 2.0 on MSI AM4 Motherboards
[31] storage-asset.msi.com
[32] MSI USA
[33] Enforcement of laws against polluters nearly non-existent in US, analysis finds
[34] Windows 11 KB5077181 & KB5075941 cumulative updates released
[35] Microsoft releases Windows 10 KB5075912 extended security update
[36] Microsoft's February Patch fixes 6 zero-days - but some Windows users sh...
[37] Microsoft rolls out new Secure Boot certificates before June expiration
[38] Your PC's critical security certificates may be about to expire - how to...
[39] February's Windows 11 update is causing startup problems for users
[40] Microsoft warns Secure Boot certificates will expire soon — what to expect
[41] Windows Secure Boot Certificates From 2011 Will Be Expiring Soon. What You Ne...
[42] Microsoft is keeping Secure Boot alive with Windows updates
[43] Microsoft is refreshing Secure Boot certificates to plug security holes befor...
[44] Endlos-Neustarts: Neues Windows 11 Update legt Rechner lahm
[45] Critical Microsoft bug from 2024 under exploitation
[46] You
[47] Microsoft is giving Windows 11’s security settings a big makeover
[48] Windows 11 brings back classic taskbar features and users have thoughts
[49] Windows 11 Notepad flaw let files execute silently via Markdown links
[50] CISA flags critical Microsoft SCCM flaw as exploited in attacks
[51] California's CCPA New Cybersecurity Audit Rules: Applicability Threshold...
[52] Nancy Guthrie Abduction: Potential Subject Pic to Be Released by Law Enforcement
[53] KB5007651 Keeps Reinstalling on Windows 11 — What It Is and How to Fix It
[54] DHS has no immediate plans for sweeping city-specific immigration enforcement...
[55] FAA steps up enforcement against reckless drone pilots
[56] Microsoft Refreshes Secure Boot Certificates via Windows Update
[57] Microsoft Patches Six Zero-Days, Two Critical Flaws
[58] Windows 11 February 2026 Patch: KB5077181 and KB5075941 fix zero-days, shutdo...
[59] Windows 10 users warned to upgrade now or risk a ‘degraded security sta...
[60] Verify Windows UEFI CA 2023 Certificate with PowerShell
[61] How to check if Windows 11 has applied the new Secure Boot 2023 certificates ...
[62] Verify Windows 11’s New 2023 Secure Boot Certificates Installation
[63] Windows Secure Boot 2026: Microsoft issues final warning over expiring certif...
[64] Microsoft begins Secure Boot certificate update for Windows devices - Help Ne...
[65] Microsoft Secure Boot Updates: New Certificates Coming Soon - Weidemann.tech
[66] Windows 11 24H2/25H2: Update KB5077181 verursacht Boot-Schleife
[67] PC Secure Boot Certificates Near Expiration: Check Now
[68] Microsoft sets 2026 deadline for Secure Boot certificate expiration
[69] Windows 11 adds a new secure mode that blocks sketchy apps and drivers
[70] Windows 11 26H1 Latest Build – Technical Deep Dive into OS Build 28000.1575
[71] Microsoft wants Windows 11 “secure by default," could allow only properl...
[72] Alarm: Ihr Windows-PC bekommt ab Sommer echte Probleme – der Grund
[73] Windows 11 Update KB5077181 verursacht Startprobleme: Das können Sie tun
[74] Selbst prüfen: Hat Windows 11 die neuen Secure-Boot-Zertifikate bereits angew...
[75] Windows-11-Februar-Update kann für Bootschleife sorgen
[76] Windows Secure Boot Certificates Issued in 2011 Begin Expiring in June 2026
[77] Microsoft Security Update Summary (10. Februar 2026)
[78] Patchday: Windows 10/11 Updates (10. Februar 2026)
[79] Exchange Server Sicherheitsupdates Februar 2026
[80] KB5077181 Windows 11 25H2 / 24H2 [Manueller Download] Sicherheitsupdate Febru...
[81] Was passiert, wenn im Juni 2026 Windows Secure Boot-Zertifikate auslaufen?
[82] Windows 11 Update KB5077181 - DAP IT-Solutions GmbH
[83] KB5075941 - Details, Issues, & Feedback - NinjaOne
[84] Microsoft veröffentlicht Februar-Sicherheitsupdates mit sechs aktiv ausgenutz...
[85] Windows 11 Februar-Update 2026: KB5077181 liefert Sicherheitsupdates, WLAN-Re...
[86] Windows 11 February Update Triggers Startup Issues for Users
[87] KB5077800 - Details, Issues, & Feedback - NinjaOne
[88] Windows 11 Update KB5077181 Security and AI Features for 24H2 and 25H2 Versio...
[89] Many Reddit users hit with "network security" block error on posts
[90] Microsoft Patches Six Actively Exploited Windows 11 Zero-Day Vulnerabilities
[91] Microsoft to Roll Out New Secure Boot Certificates to Keep Old Windows PCs Se...
[92] Microsoft to Refresh Secure Boot Certificates for Windows 11 and 10 in March
[93] Windows 10 : attention, votre PC pourrait devenir vulnérable si vous ratez ce...
[94] windows event logs cheat sheet
[95] How to Check If Your PC Has the New 2023 Secure Boot Certificates (Before Jun...
[96] How To Access BIOS MSI Motherboard? - AEANET
[97] OpenCore-and-UEFI-Secure-Boot/guide/Windows UEFI CA 2023.md at main · perez98...
[98] Fortnite To Require Additional PC Security Features
[99] KB5007651 Keeps Reinstalling on Windows 11 — What It Is and How to Fix It - S...
[100] Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments - Red...
[101] Enable Secure Boot: Fix Secure Boot certificates expiration - TechDirectArchive
[102] This free Windows 11 debloating script makes every PC better
[103] Windows 11 has a hidden "Cross-Device Resume" feature most people d...
[104] Secure Boot certificate changes in 2026: Guidance for RHEL environments | Red...
[105] This app is Microsoft's apology to power users
[106] From Trust to Trouble: The Supply Chain Implications of a Broken DBX
[107] Was passiert, wenn die Secure Boot-Zertifikate unter Windows 11 und Windows 1...
[108] Windows Patch Tuesday: Notepad RCE Fix, Secure Boot Update & Taskbar Prot...
[109] SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass - Ubuntu Wiki
[110] MOK Manager: what it is, what it
[111] media.defense.gov
[112] Chapter 22. Updating the Secure Boot Revocation List | Managing, monitoring, ...
[113] Secure Boot: Enhancing Linux Security from Firmware to Kernel
[114] Unified Extensible Firmware Interface/Secure Boot - ArchWiki
[115] The Perils of Updating UEFI Secure Boot Revocation List
[116] Thoughts dereferenced from the scratchpad noise. | Automating Firmware Secur...
[117] GRUB2 Secure Boot Bypass 2021 | Ubuntu
[118] How to boot Linux using UEFI with Secure Boot ? — Get Intimate With Cyb...
[119] MSI Global English Forum
[120] MSI Global English Forum
[121] MSI Endanwender-Forum DE
[122] Updating Windows Boot Manager and WinPE with the Windows UEFI CA 2023 Certifi...
[123] media.defense.gov
[124] XFN 1.1 profile
[125] fonts.googleapis.com
[126] BleepingComputer (@[email protected]) - Infosec Exchange
[127] Windows Central
[128] Windows Central (@WindowsCentral) on Flipboard
[129] Windows Central (@windowscentral.com)
Relevant Services
More from the Blog
- Windows 11 Performance: Why Your Fast PC Feels Slow(Mar 1, 2026)
- Windows 11 Start Menu Redesign: Why Users Are Frustrated(Mar 1, 2026)
- Windows 11's New Start Menu Triggers 'Windows 8' Flashbacks(Mar 1, 2026)
- Microsoft Copilot Tasks: How AI Agents Now Automate Work(Mar 1, 2026)
- Trump Orders US Agencies to Halt All Anthropic AI Use(Feb 28, 2026)
- NVIDIA GeForce Driver 595.59: Critical Fan Bug and Rollback(Feb 28, 2026)
- View all blog posts
Brauchen Sie Hilfe?
Wir reparieren Ihren PC oder Laptop schnell und zuverlässig.
Jetzt Reparatur anfragen