Act now: Secure Boot certificates expire in June 2026



 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Last edited:
Click to expand...
neves said:
Is the Dell Laptop a newer Model (released in 2024)? Which model is that, btw?

The Secure Boot certificates are part of the UEFI firmware. As far as i know - a clean install of Windows, even 24H2, does not modify DBX entries directly.
Click to expand...


It's a Dell Inspiron 15 3530 model purchased new from Dell in July 2024. Firmware is up to date (it comes via Windows Update) and is level 1.18.0.
 

My Computers

System One System Two

  • OS
    Windows 11 Home 24H2 RP
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel I3-10100
    Motherboard
    MSI H410M-PRO
    Memory
    16 GB
    Graphics Card(s)
    Nvidia GT 1030
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27 inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung EVO 970 NVMe SSD 256 Gb
    Samsung QVO 870 SATA SSD 2 Tb
    PSU
    ATX 450W
    Keyboard
    Logitech
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Microsoft Office 2021 Plus
  • Operating System
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel i3-8100
    Motherboard
    Gigabyte Z370 D3
    Memory
    16 Gb
    Graphics card(s)
    Nvidia GT 720
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27-inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 960 NVMe SSD 256 Gb
    Seagate 2 Tb HDD
    PSU
    ATX 450W
    Keyboard
    Microsoft
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
RFS said:
It's a Dell Inspiron 15 3530 model purchased new from Dell in July 2024. Firmware is up to date (it comes via Windows Update) and is level 1.18.0.
Click to expand...
The CPU was released in January 2023 (same goes for the motherboard), the UEFI Revocation List (DBX) was released on 9 May 2023 - so it's possible that it wasn't updated out-of-the-box. Of all the thing i can blame Dell - falling behind with Critical Updates is not one of them (that's where - they seem to shine the most, even - when/if the users are against a specific update - which cripples their system). Dell is known to prioritize Security over performance/functionality - so if not with Windows Updates - you could try the support page of your product:


Use the code on the back (there's multiple models labeled as Dell Inspiron 15 3530 - with different components - while the code should tell which is which) - while searching for your model. Maybe it's covered there.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
neves said:
The CPU was released in January 2023 (same goes for the motherboard), the UEFI Revocation List (DBX) was released on 9 May 2023 - so it's possible that it wasn't updated out-of-the-box. Of all the thing i can blame Dell - falling behind with Critical Updates is not one of them (that's where - they seem to shine the most, even - when/if the users are against a specific update - which cripples their system). Dell is known to prioritize Security over performance/functionality - so if not with Windows Updates - you could try the support page of your product:


Use the code on the back (there's multiple models labeled as Dell Inspiron 15 3530 - with different components - while the code should tell which is which) - while searching for your model. Maybe it's covered there.
Click to expand...

Since I bought the Dell, I've clean-installed it with 24H2 using a Rufus-generated install media. I suspect the problem may have something to do with this issue.


Rufus complaining about security of UUP dump bootloader
 

My Computers

System One System Two

  • OS
    Windows 11 Home 24H2 RP
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel I3-10100
    Motherboard
    MSI H410M-PRO
    Memory
    16 GB
    Graphics Card(s)
    Nvidia GT 1030
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27 inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung EVO 970 NVMe SSD 256 Gb
    Samsung QVO 870 SATA SSD 2 Tb
    PSU
    ATX 450W
    Keyboard
    Logitech
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Microsoft Office 2021 Plus
  • Operating System
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel i3-8100
    Motherboard
    Gigabyte Z370 D3
    Memory
    16 Gb
    Graphics card(s)
    Nvidia GT 720
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27-inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 960 NVMe SSD 256 Gb
    Seagate 2 Tb HDD
    PSU
    ATX 450W
    Keyboard
    Microsoft
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
RFS said:
Since I bought the Dell, I've clean-installed it with 24H2 using a Rufus-generated install media. I suspect the problem may have something to do with this issue.


Rufus complaining about security of UUP dump bootloader
Click to expand...
A clean 24H2 install will not add CA 2011 to DBX, because it's still an optional process. Setup doesn't know if you have one of the few known cases where your UEFI or security products/management vendor has incompatible code. Forcing the change would "brick" the system for a casual PC user.

For now, you have to set a reg value and run a Windows task several times until it cycles through the update process.

MS will probably re-release a 25H2 ISO in mid-2026, which does all the UEFI changes on a clean install.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Follow the steps outlined here (skip to "Mitigation deployment guidelines" Step 2):
How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
Click to expand...

Hmm... Read through that. I already have the 2023 certificates in the DB, per my post above.

I've assumed that means that I can skip 2 (a) and start at 2(b). But when I get to 2 (c) (iv), my file has no signatures listed.

Should I do step 2(s) and schedule the update task... and does that mean I should do step 1 and create the other reg key too?
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel Ultra 7 155H
    Memory
    16gb
    Graphics Card(s)
    Intel Arc integrated
    Hard Drives
    SSD
The reg key has different values, which signal to the Window task what it's supposed to do next. The reason is several reboots are required to for the process.

Assuming your new boot file is the correct version, then proceed to Step 3 to update DBX. If it's the wrong boot version, you may be "bricked" until you enter BIOS and disable Secure Boot (which turns off UEFI checks).
 

My Computer

System One

  • OS
    Windows 7
The best place I've found to get started is one of the weblink's in @Brink top post in this thread. It gives good information about all this depending on whether you're a home user OR an IT admin/manager responsible for lots of computers.

Go to the page linked below and in the top post and select one of the numbered options that applies to go specific information for that use case.

windows secure boot info.webp

Here.

Windows Secure Boot certificate expiration and CA updates - Microsoft Support

support.microsoft.com support.microsoft.com
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 Beta Insider Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC - Headphone Amplifier: Cambridge Audio DACMagic200M
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 25.5.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2894
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam
@BruceR

You're dead on with that quote from MS. I did the updates manually as per MS instructions on my desktop PC on a whim but there was a very low risk as remote access is disabled. Then a hacker needs either physical access or by social engineering get some kind of malware on to my PC. Then it would have to get past my security software.

The hackers would be much more likely to target corporate or other large networks of computers. I understand they pay big dollars for the tools/scripts on the dark end of the intenet to be able to do this. Little guys like us wouldn't make much of a target anyway.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 Beta Insider Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC - Headphone Amplifier: Cambridge Audio DACMagic200M
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 25.5.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2894
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam

My Computer

System One

  • OS
    Windows XP/7/8/8.1/10/11, Linux, Android, FreeBSD Unix
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9570
    CPU
    Intel® Core™ i7-8750H 8th Gen 2.2Ghz up to 4.1Ghz
    Motherboard
    Dell XPS 15 9570
    Memory
    64GB using 2x32GB CL16 Mushkin redLine modules
    Graphics Card(s)
    Intel UHD 630 & NVIDIA GeForce GTX 1050 Ti with 4GB DDR5
    Sound Card
    Realtek ALC3266-CG
    Monitor(s) Displays
    15.6" 4K Touch UltraHD 3840x2160 made by Sharp
    Screen Resolution
    3840x2160
    Hard Drives
    Toshiba KXG60ZNV1T02 NVMe 1TB SSD
    PSU
    Dell XPS 15 9570
    Case
    Dell XPS 15 9570
    Cooling
    Stock
    Keyboard
    Stock
    Mouse
    SwitftPoint ProPoint
    Internet Speed
    Comcast/XFinity 1.44Gbps/42.5Mbps
    Browser
    Microsoft EDGE (Chromium based) & Google Chrome
    Antivirus
    Windows Defender that came with Windows
Well that person can't read.

Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:

o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
o Key name: MicrosoftUpdateManagedOptIn
o Type: DWORD
o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
Click to expand...
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 [rev. 4351]
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical with Cherry MX Clears
    Antivirus
    Microsoft Defender
Almighty1 said:
Someone asked this question is the comments at:
techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.
techcommunity.microsoft.com techcommunity.microsoft.com
Click to expand...
No, that's for IT admins who run specific Windows management tools that allow MS to remotely manage which updates you get. This is provided as a paid service so IT doesn't have to keep track of what needs to be done. The setting guarantees telemetry is enabled so MS can take the correct action based on each system's individual profile.

For 98% of ElevenForum's readers, this setting is irrelevant.
 
Last edited:

My Computer

System One

  • OS
    Windows 7
That's not my goal. I'm here to explain to the general audience why things are where they are.

Good thing (or at least i hope) - there's not that many average users who bumped into this topic by accident. Cause a lot of them are always in the hurry to apply Windows Updates (as was the case in late 2024 & Early 2025 - when many average users end-up stuck on a boot loop or BSOD - while in a hurry to update their system to 24H2 - which wasn't yet ready for that update, only to revert back to 23H2 after days of endless trials). If that was the case... and enough average users did follow the earlier advice of some self-proclaimed Windows/Microsoft know it all (in his own words: "I'm here to explain to the general audience why things are where they are") - who claimed that this update is... optional (and not just for IT for Professionals - as Microsoft officially stated - even added a not in the section intended for Windows devices for businesses and organizations with IT-managed updates: Note If you are an individual who owns a personal Windows device, please go to the article Windows devices for home users, businesses, and schools with Microsoft-managed updates.) - who knows how many would end-up with bricked machines (laptops in particular). As stated with the first post i made in this topic:
neves said:
Would be really odd if it did (Microsoft expecting average Windows users to figure out how to do this manually), without - being included in a Windows update.
Click to expand...
In times like this - it pays to be a hard skeptic (might save you a lot of time and money to) - since "officially" - you have another year till Microsoft will do this automatically:

"When is this happening?

The new certificate updates will continue gradually through June 2026. Microsoft is starting with Home and Pro edition systems first to ensure a smooth and safe transition.

Is this applicable for my Windows device?

If you use a Windows 10 or Windows 11 device that runs Home, Pro or Education edition, and you get updates automatically from Microsoft (like most people do), then yes—this is applicable for your device.

The good news is that the new 2023 certificates will be delivered to your device through regular Windows Update channels. For most users, no action is needed. "

And sure, the naming of this blog (Act now: Secure Boot certificates expire in June 2026) can induce some people in error - but it's part of "Windows IT Pro Blog". Can be informational even for Home users - but it's not directed at them (in terms of Windows maintenance and such). The CVE-2023-24932 vulnerability (Secure Boot Security Feature Bypass Vulnerability) - and its mitigation by updating Secure Boot Certificates - was addressed even earlier this year (February 13, 2025) - by Microsoft in an official article aimed at Enterprise IT personnel.

To avoid disruptions, Microsoft does not plan to deploy these mitigations in enterprises but is providing this guidance to help enterprises apply the mitigations themselves. This gives enterprises control over the deployment plan and timing of deployments.

- while also pointing out the possible risks:

Understanding the following risks will help you during your planning process.

Firmware Issues: Each device has firmware provided by the manufacturer of the device. For the deployment operations described in this document, the firmware must be able to accept and process updates to the Secure Boot DB (Signature Database) and DBX (Forbidden Signature Database). In addition, the firmware is responsible for validating the signature or boot applications, including the Windows boot manager. The device firmware is software and, like any software, may have defects, which is why it is important to test these operations before deploying widely.

Microsoft has ongoing testing of many device/firmware combinations, starting with the devices within Microsoft labs and offices, and Microsoft is working with OEMs to test their devices. Nearly all the devices tested have passed without issue. In a few cases, we have seen issues with the firmware not correctly handling the updates and we are working with the OEMs to address the issues of which we are aware.

Note During your device testing, if you detect a firmware issue, we recommend working with your device manufacturer/OEM to resolve the issue. Look for Event ID 1795 in the event log. See KB5016061: Secure Boot DB and DBX variable update events for more details on Secure Boot events.

Hope this is clear enough and maybe helps someone avoid making a stupid mistake.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
You must log in or register to reply here.

Similar threads

  • Article Article
Updating Microsoft Secure Boot keys
4 5 6
Replies
106
Views
22K
THEBOSS619
THEBOSS619
  • Article Article
Revoking vulnerable Windows boot managers
2
Replies
24
Views
7K
Warre1
Warre1

Latest Support Threads

Latest Tutorials

Back
Top Bottom