Windows IT Pro Blog:
Prepare for the first global large-scale certificate update to Secure Boot.
The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.
If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.
Recap: Why Secure Boot requires updating
Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
- Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
- Not affected: Copilot+ PCs released in 2025
Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.
The change: Expiring certificates
Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.
| Expiration date | Expiring certificate | Updated certificate | What it does | Storing location |
|---|---|---|---|---|
| June 2026 | Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK 2K CA 2023 | Signs updates to DB and DBX | KEK |
| June 2026 | Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)* | a) Microsoft Corporation UEFI CA 2023 b) Microsoft Option ROM UEFI CA 2023 | a) Signs third-party OS and hardware driver components b) Signs third-party option ROMs | DB |
| Oct 2026 | Microsoft Windows Production PCA 2011 | Windows UEFI CA 2023 | Signs the Windows bootloader and boot components | DB |
Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.
The impact and implications
The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
- Lose the ability to install Secure Boot security updates after June 2026.
- Not trust third-party software signed with new certificates after June 2026.
- Not receive security fixes for Windows Boot Manager by October 2026.
Take action today
To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.
In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.
The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.
Enterprise IT-managed systems that send diagnostic data
No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!
Enterprise IT-managed systems that don't send diagnostic data
Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:- Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
- Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
- o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
- o Key name: MicrosoftUpdateManagedOptIn
- o Type: DWORD
- o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.
Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
- Recommend known steps or methods for deploying these updates
- Share data gathered from our rollout stream
Systems with Secure Boot disabled
Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.Share these recommendations with individual users:
- Press Windows key + R, type msinfo32, and then press Enter.
- In the System Information window, look for Secure Boot State.
- If it says On, you're good to go!
Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11
This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com
Enable or Disable Secure Boot in Windows 11
This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com
Change management considerations
Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.
Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.
Bookmark these additional resources:
- Secure Boot certificate rollout landing page
- Windows devices for businesses and organizations with IT-managed updates
- Windows devices for home users, businesses, and schools with Microsoft-managed updates
- Windows 11 and Secure Boot
- Secure Boot
- Updating Secure Boot keys
- Enterprise deployment guidance for CVE-2023-24932
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Source:
Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog
Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.
techcommunity.microsoft.com
Last edited:
My only 2023 certificate disappeared and I just have the 2011 certificates!
I'd assume that except that when they were the only certificates, it booted fine, so it seems that's what Windows is using...
Wait!!! What about all the screwups we hear about. The sky may not be falling, but something's sure hitting me on the head. 
