Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
uncyler825 said:
I have personally tested that if you forbidden the non-expired certificate, it will not boot after a clean install of Windows. I need to clear the DBX to resolve the problem. Because some users who don't understand may encounter some troubles following Microsoft's steps.
Click to expand...
Sorry, don't understand.
Why would I 'forbidden' the non-expired certificate if I leave everything to Microsoft and do nothing else?
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    F-Secure (Internetprovider version)
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
Ghot said:
Either you don't have the new Certs yet, or the downloadable WIM isn't updated yet.
Click to expand...

www.elevenforum.com

Act now: Secure Boot certificates expire in June 2026

Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new...
www.elevenforum.com www.elevenforum.com
 

My Computer

System One

  • OS
    Windows 11 Pro
Kees said:
Sorry, don't understand.
Why would I 'forbidden' the non-expired certificate if I leave everything to Microsoft and do nothing else?
Click to expand...

We do not need to ban unexpired certificates. at least for now.
These steps come from Microsoft, although there are warnings to users in the article. But I think there are still users who don't read it carefully.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
If you have already done this and are having trouble, you will need to clear DBX in the BIOS to resolve the problem.
Click to expand...
All that would do is allow Microsoft UEFI CA 2011 again.
I followed all the steps and my PC has no issues booting. I have a copy of the bootx64.efi file that has the updated cert and have updated all my removal devices with this file.
I also tested a clean install and had no issues.
 

My Computer

System One

  • OS
    Windows 11 Pro
KevTech said:
All that would do is allow Microsoft UEFI CA 2011 again.
Click to expand...



Then that means that MS still has the older WIM for download.
Just be patient. ^^
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Ghot said:
Just be patient. ^^
Click to expand...

For what?
I now have everything running with the 2011 revoked.
Was not hard you just have to know what you are doing.
I also have Macrium and all my other bootable removal drives updated with the Windows UEFI CA 2023 and the Microsoft UEFI CA 2011 revoked.

As you can see here my macrium flash drive is now using Windows UEFI CA 2023

www.elevenforum.com

Act now: Secure Boot certificates expire in June 2026

Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new...
www.elevenforum.com www.elevenforum.com
 

My Computer

System One

  • OS
    Windows 11 Pro
KevTech said:
All that would do is allow Microsoft UEFI CA 2011 again.
I followed all the steps and my PC has no issues booting. I have a copy of the bootx64.efi file that has the updated cert and have updated all my removal devices with this file.
I also tested a clean install and had no issues.
Click to expand...

These steps are not necessary for the user. Microsoft will automatically complete these steps instead of requiring the user to do it manually. You do not need to forbidden the certificate before it expires. Microsoft has warned users that this may cause problems.

The certificate has not expired yet. Please do not confuse users that we must do that.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I have two PCs.

This system is Windows 11 25H2 26200.4770, and the PCA2023 certificate was automatically added through Windows Update. I did not take any additional steps. And Microsoft did not forbidden the old "Windows Production PCA 2011" certificate.

bzLZ1IG.png
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
KevTech said:
Was not hard
Click to expand...


Not everyone does their revocations early. Some wait till MS forces it on them with an update.
That's who I posted the Macrium link directions for. ^^
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
uncyler825 said:
"In the future" not now. The old certificate is still valid and has not expired. You should not forbidden or revoke a certificate before it expires.
Click to expand...
You're missing the point. The original goal for banning CA 2011 to close the Black Lotus UEFI security hole. Which is very real, otherwise MS would not go this entire process. You may not care or believe it, but the threat is real that governments care about it.
 

My Computer

System One

  • OS
    Windows 7
uncyler825 said:
I have two PCs.

This system is Windows 11 25H2 26200.4770, and the PCA2023 certificate was automatically added through Windows Update. I did not take any additional steps. And Microsoft did not forbidden the old "Windows Production PCA 2011" certificate.
Click to expand...
If you have not paid attention to this thread, this is the "opt in" phase of the Secure Boot updates. Windows will not ban CA 2011 for you at this time. That will come on a later date, in a future Monthly Update. You can ban CA 2011 following the instructions MS has provided in KB articles.
 

My Computer

System One

  • OS
    Windows 7
Kees said:
But then I still would like to know if I still can start my external program flash drives (when needed) after (temporarely) disabling Secure Boot.
That's what my question in #132 was about!
Click to expand...
If you have any boot media (HDD, SSD, USB) that has an ineligible signing cert, then it won't boot if Secure Boot is enabled.
Temporarily disabling Secure Boot will allow it to boot again, until you decide to enable Secure Boot.

"Ineligible" translates to one of several conditions:
  • Boot media has CA 2023-signed boot files, but you didn't add CA 2023 to your UEFI's DB (allow) list
  • Boot media has CA 2011-signed boot files, but you added CA 2011 to the DBX (banned) list
 

My Computer

System One

  • OS
    Windows 7
garlin said:
You're missing the point. The original goal for banning CA 2011 to close the Black Lotus UEFI security hole. Which is very real, otherwise MS would not go this entire process. You may not care or believe it, but the threat is real that governments care about it.
Click to expand...

For regular users. Do you think we have to do this? Rather than letting Microsoft do it automatically?

Microsoft will gradually complete these steps. Rather than making it confusing for every regular user to do so.

Can you give an example of what serious harm would happen to regular users if we don't immediately forbidden old CA 2011 certificates?
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
garlin said:
If you have any boot media (HDD, SSD, USB) that has an ineligible signing cert, then it won't boot if Secure Boot is enabled.
Temporarily disabling Secure Boot will allow it to boot again, until you decide to enable Secure Boot.

"Ineligible" translates to one of several conditions:
  • Boot media has CA 2023-signed boot files, but you didn't add CA 2023 to your UEFI's DB (allow) list
  • Boot media has CA 2011-signed boot files, but you added CA 2011 to the DBX (banned) list
Click to expand...
Thanks, that is what I wanted to know.
Because in that case I can leave it all to MS to decide when the UEFI certificates will be updated and when old certificates will be disabled.
And for my other boot media nothing changes, as I already have to (temporarely) disable secure boot to use them.
I don't use any Insider versions of Windows (I am on 26100.4652 now), so I think my system certificates will be updated by MS later in the year.

And for my wife's PC on Windows 10 nothing changes as well.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    F-Secure (Internetprovider version)
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
Kees said:
And for my wife's PC on Windows 10 nothing changes as well.
Click to expand...
The same steps can be applied to W10 22H2 PC's, the current Monthly CU's include the newer boot files too.

But the real reason you don't hear MS yelling at W10 users is it's going to be EOL'ed in October 2025.

However, some folks may be required to keep using W10 and will enter ESU support for 1-3 years. Just because you're running W10 and under longer-term support, doesn't meant you're not at risk for Black Lotus. Same for W10 LTSC. It doesn't care what version of Windows you're running to be infected.
 

My Computer

System One

  • OS
    Windows 7
uncyler825 said:
Can you give an example of what serious harm would happen to regular users if we don't immediately forbidden old CA 2011 certificates?
Click to expand...
You're at risk for Black Lotus UEFI rootkit, or a variant which uses the same technology. It's a persistent malware.

Is your Windows going to stop working if you don't revoke CA 2011 now? No, but if you have enough Windows experience with basic system management, then its something you can do now and manage it instead of waiting for next year.

No one's telling you that every single user to follow the procedure today. But if you're reading this thread, that implies you are interested (unlike other users) and probably have enough Windows experience to follow the process.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
You're at risk for Black Lotus UEFI rootkit, or a variant which uses the same technology. It's a persistent malware.

Is your Windows going to stop working if you don't revoke CA 2011 now? No, but if you have enough Windows experience with basic system management, then its something you can do now and manage it instead of waiting for next year.

No one's telling you that every single user to follow the procedure today. But if you're reading this thread, that implies you are interested (unlike other users) and probably have enough Windows experience to follow the process.
Click to expand...
I'm a bit confused with it all. I have the 2011. So they need revoking? And how do you get more up to date ones?
 

My Computers

System One System Two

  • OS
    Windows 11 Home 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 14-ce3606sa
    CPU
    Core i5-1035G1
    Memory
    32gb
    Hard Drives
    Samsung 870 evo sata ssd
    Cooling
    Could be better
    Internet Speed
    50 mbps Starlink
    Browser
    Firefox
    Other Info
    Originally came installed with a 500gb H10 Optane ssd
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion ce3606sa
    CPU
    Intel Core i5-1035G1
    Memory
    16gb
    Hard Drives
    Hynix Gold P31 2TB
    Internet Speed
    200mbps Starlink
    Browser
    Firefox
    Antivirus
    Defender
garlin said:
No one's telling you that every single user to follow the procedure today. But if you're reading this thread, that implies you are interested (unlike other users) and probably have enough Windows experience to follow the process.
Click to expand...
And what is the process? Where is it?
 

My Computer

System One

  • OS
    Windows 10
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom