Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
Marcus Vinicus said:
It isn't true that the average non-enterprise user is immune from this issue.
Click to expand...
After a brief session with ChatGPT, alas you are correct. The information from ChatGPT seems to tell me that there's nothing to worry about as long as you have Secure Boot turned on (I do) and you do regular Windows updates (I do). This will prod me to upgrade to Windows 11 sooner than later.
 

My Computer

System One

  • OS
    Windows 11 Professional 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm VELOX
    CPU
    Intel Core i9 11900K
    Motherboard
    ASUS PRIME Z590-P
    Memory
    64GB
    Graphics Card(s)
    NVIDIA GeForce GTX 1650
    Sound Card
    Realtek onboard
    Monitor(s) Displays
    Acer R221Q 21.5"
    Screen Resolution
    1920 x 1080
    Hard Drives
    2 x Samsung SSD 990 EVO Plus (1 TB)
    2 x Seagate ST4000NE001 (4 TB)
    PSU
    None
    Case
    VELOX
    Cooling
    Cooler Master
    Keyboard
    Logitech
    Mouse
    Kensington trackball
    Browser
    Firefox, Chrome
    Antivirus
    Windows Defender, Malwarebytes
OldMainframeGuy said:
After a brief session with ChatGPT, alas you are correct.
Click to expand...
The top post in this thread which quotes directly from Microsoft has a list of Windows versions and devices that are both affected and not affected.

  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Click to expand...
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 3107
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC: Cambridge Audio DACMagic200M - Headphone Amp: Topping L50
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate Expansion 16TB external - USB 3.2
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Incase Ergonomic USB (Microsoft clone)
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 26.1.1
    Hasleo Backup Suite
    Dashlane password manager
    Kensington Verimark fingerprint reader
    Logitech Brio 4K webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Mouse
    Logitech MX Ergo Trackball
    Antivirus
    Bitdefender Total Security
    Other Info
    720p Webcam
    WiFi & USB to ethernet
Marcus Vinicus said:
The top post in this thread which quotes directly from Microsoft has a list of Windows versions and devices that are both affected and not affected.
Click to expand...
Understood; I was just reacting to someone's post saying "This only affects enterprise machines" which as you pointed out is not true. I can't overstate how I loath dealing with certificates. I had enough of it from my mainframe days. There's nothing like being on an outage call because your employer's online banking system is down because certificates are messed up somewhere amongst the 800 moving parts of the application.:-)
 

My Computer

System One

  • OS
    Windows 11 Professional 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Digital Storm VELOX
    CPU
    Intel Core i9 11900K
    Motherboard
    ASUS PRIME Z590-P
    Memory
    64GB
    Graphics Card(s)
    NVIDIA GeForce GTX 1650
    Sound Card
    Realtek onboard
    Monitor(s) Displays
    Acer R221Q 21.5"
    Screen Resolution
    1920 x 1080
    Hard Drives
    2 x Samsung SSD 990 EVO Plus (1 TB)
    2 x Seagate ST4000NE001 (4 TB)
    PSU
    None
    Case
    VELOX
    Cooling
    Cooler Master
    Keyboard
    Logitech
    Mouse
    Kensington trackball
    Browser
    Firefox, Chrome
    Antivirus
    Windows Defender, Malwarebytes
OldMainframeGuy said:
Understood; I was just reacting to someone's post saying "This only affects enterprise machines" which as you pointed out is not true. I can't overstate how I loath dealing with certificates. I had enough of it from my mainframe days. There's nothing like being on an outage call because your employer's online banking system is down because certificates are messed up somewhere amongst the 800 moving parts of the application.:-)
Click to expand...
Either way, if you're allowed to disable Secure Boot then Windows can still work. Of course, some work environments have a mandatory policy requiring Secure Boot at all times so that's why the advisory is being repeated in advance.
 

My Computer

System One

  • OS
    Windows 7
I finally read the material Brink posted and see that the certificates will gradually roll out. I can now relax. I was all 🤷‍♂️ on what to do. It pays to read. :D
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 RP channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home built
    CPU
    Ryzen 9 5900X
    Motherboard
    MSI MPG X570S Edge Max WiFi
    Memory
    Corsair Vengeance RGB PRO 64GB (2x32GB) DDR4 3600 (PC4-28800) C18
    Graphics Card(s)
    ASUS GeForce RTX 4070 Super OC 12GB DDR6 / ZOTAC RTX 3060 Twin Edge OC 12GB GDDR6
    Sound Card
    Proprietary on MB / FiiO K5Pro DAC
    Monitor(s) Displays
    ViewSonic XG2530 25"/Benq XL2411P 24"/ ASUS VA24DQSB) 23.8"
    Screen Resolution
    1920x1080 240Hz/144Hz/60Hz (based on monitor setup above)
    Hard Drives
    SK hynix Gold P31 1TB PCIe NVMe Gen3 M.2 2280 Internal SSD
    ADATA XPG SX8200 Pro 1TB
    Samsung SSD 860 EVO 1TB 2.5 Inch SATA III Internal SSD
    PSU
    Corsair RM1000e
    Case
    Phanteks Enthoo Pro Full Tower Chassis with Window
    Cooling
    Corsair iCUE H60i RGB PRO XT Liquid CPU Cooler
    Keyboard
    Corsair K70
    Mouse
    Logitech MX Master 3
    Internet Speed
    ~950Mb/s download / ~700Mb/s upload
    Browser
    Edge (Chromium)
    Antivirus
    Norton 360
  • Operating System
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Ryzen 7 3700X
    Motherboard
    MSI B550 Gaming GEN3 Gaming Motherboard
    Memory
    32MB DDR4
    Graphics card(s)
    I forget, but it's old. I can't see the need to upgrade it.
    Sound Card
    Propietary
    Monitor(s) Displays
    ACER LED 24"
    Screen Resolution
    1920X1080
    Hard Drives
    1TB Samsung SSD 3.5"
    Case
    Corsair
    Cooling
    Stock
    Keyboard
    Logitech
    Mouse
    Logitech
    Internet Speed
    ~750Mb/s download / ~750Mb/s upload
    Browser
    Edge
    Antivirus
    Defender and Malware Bytes
@Akeo

Thanks for your interesting posts. I use Rufus (for some years now) because, bluntly, it's easier than sorting through the various disk utilities. I greatly appreciate Rufus.

So, I have a simple (and likely uninformed) question:

... this requires having made sure that your version of Windows boots from Windows UEFI CA 2023 signed bootloaders

[Part quote on your post for using Mosby]

Which 24H2 Win 11 versions do not boot from UEFI CA 2023 signed bootloaders, please ?

This thread is very interesting and asc it grows, quite informative. It's also the very worst type of Spaghetti Junction.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s_du1xxx
    CPU
    Intel i5 10210U
    Motherboard
    85F1
    Memory
    16Gb
    Graphics Card(s)
    Intel UHD
    Sound Card
    Realtek
    Screen Resolution
    1920 x 1080
I think you have reboot at least once. AvailableUpdates is a reg value (with different specific flags) which informs Windows you want it to proceed. After Windows has done its thing, AvailableUpdates value should be change to 0x0.
 

My Computer

System One

  • OS
    Windows 7
OldMainframeGuy said:
At this time I am extremely happy that I'm a "common user".
Click to expand...
Common users do not even know how to reboot PC without a guidance, so MS will find a way to do it for them/us.
While it will not be perfect, it will work, like 0patch fixes Windows vulnerabilities without any changes to actual files.
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
I'm still using Windows 10 Enterprise IoT LTSC Enterprise, I know it's old, but it still works for me.
 

My Computer

System One

  • OS
    Windows XP (Stable, iconic) 7/8.1/10/11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Alienware PC
    CPU
    Intel i7 4790K
    Motherboard
    ASROCK Z97 EXTREME4
    Memory
    32GB DDR3 1600 MHz
    Graphics Card(s)
    ATI Radeon HD 7770 2GB GDDR5
    Sound Card
    Onboard
    Monitor(s) Displays
    SAMSUNG UE57 Series 28-Inch 4K UHD
    Hard Drives
    SAMSUNG 970 EVO PLUS M.2
    PSU
    EVGA 850 watt
    Case
    Alienware Area 51 Black Tower Case
    Keyboard
    HyperX - Alloy Elite 2 Mechanical Gaming Keyboard.
    Mouse
    Microsoft Wireless
    Internet Speed
    1.2 GHz
    Browser
    Chrome..Edge..Firefox
Now have this but had to follow MS instructions step 4 to get it applied/revoked as 280 was not working but 200 did.

Code: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f

Then I ran the task Microsoft\Windows\PI\Secure-Boot-Update

Screenshot 2025-07-18 081039.webp
 

My Computer

System One

  • OS
    Windows 11 Pro
Strangely there's two different MS docs. The Enterprise version claims you can save one reboot, by combining two reboot steps into one (0x280 vs 0x200).
 

My Computer

System One

  • OS
    Windows 7
ian50 said:
Which 24H2 Win 11 versions do not boot from UEFI CA 2023 signed bootloaders, please ?
Click to expand...

For bootable media created from retail Windows 11 ISO releases (i.e the kind you can publicly download from Microsoft at Download Windows 11 without being an MSDN subscriber), the answer is simple:
NONE OF THEM are currently able to boot on systems where CA 2023 is installed and CA 2011 has been revoked.

Now, Microsoft actually did some half-assed attempt to create CA 2023 compatible ISOs (as long as you manually update the first stage bootloaders yourself) but they screwed up the bootloaders they included for second stage boot, rendering their whole effort completely worthless, because even if you do replace the initial bootloaders, and should be able to see that the Microsoft setup process does detect that it should use the 2023 CA signed bootloader for second stage boot if it finds that CA 2011 has been revoked, the folks from Microsoft in charge of including those second stage bootloaders found nothing better than to embed obsolete/vulnerable versions of those, that had already been revoked through SVN (which is "Microsoft's Secure Boot revocation through version numbers" rather than "UEFI's Secure Boot revocation through executable hashes") months prior to the 24H2 release, and that will therefore produce a Security Validation error on any systems that are up to date with the Secure Boot DBX... which should be true for anybody using an OS that isn't asleep at the wheel in terms of security or who used Mosby.

So, if you are using the official public retail ISOs, then unless you manually patch a bunch of files, and then a WIM from within a WIM, you can't create a media that boots from UEFI CA 2023 signed bootloaders from 24H2. Which means that, as is the case for every retail ISO that Microsoft released so far, even when they knew very well, more than a year after the BlackLotus fiasco, that continuing to promote the Windows CA 2011 as a trustworthy authority is a major vulnerability, the 24H2 retail ISOs published by Microsoft very much expect CA 2011 to be present and not invalidated on your system if you want to install Windows. And that is the precise reason why I stated that you really want to be careful if you want to have CA 2023 only (with no/revoked CA 2011), because then you won't be able to clean reinstall Windows from 24H2 without disabling Secure Boot altogether (which is actually fine, since you should be able to validate that you used a source from Microsoft through SHA-1 validation of the retail ISO you downloaded and therefore that, Secure Boot or no Secure Boot, your resulting media should be trustworthy. But I understand that a lot of people are irrationally reluctant to the idea of disabling Secure Boot ever).

Now, if you are dealing with an already installed Windows 11 24H2, and have gone through KB5025885, then your version of Windows should boot from CA 2023 signed bootloaders and CA 2011 should be revoked. But then good luck reinstalling Windows from scratch from a 24H2 ISO with Secure Boot on.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
I'm leaving the 2011 certificates until MSC gets their act together. I wanted to get the 2023 certificates installed, but that's as far as I went.

Of course, you can also just turn Secure Boot off until MSC gets off their duff and works out the kinks...
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
My current situation is I keep the 2011 and 2023 both available since I'm not ready to re-flash all my bootable USBs, not worth the hassle.:ROFLMAO: if it ever forced upon us... Just toggle the Secure Boot in the BIOS and move on.
 

My Computer

System One

  • OS
    Win11 Insider[Always the latest Dev/Beta releases]
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming FA506IU Laptop
    CPU
    AMD Ryzen 7 4800H with Radeon Graphics
    Motherboard
    AMD K17.6 FCH, AMD K17.6 IMC
    Memory
    G.SKILL [Samsung Die] DRR4 - 3200Mhz CL18 (18-19-19-36) - 32GB(16GBx2)
    Graphics Card(s)
    nVidia GTX 1660ti GDDR6 6GB(90W) 2.02Ghz Core & +548Mhz Mem-OC'ed [VBIOS Unlocked]
    Sound Card
    Realtek ALC256 @ AMD K17.6
    Monitor(s) Displays
    LM156LF-2F03 144HZ with Adaptive SYNC
    Screen Resolution
    1920x1080 - 144Hz
    Hard Drives
    WDC PC SN530 SDBPNPZ-256G-1002 + SHGP31-500GM-2 + ST1000LM035-1RK172 + Samsung SSD 870 QVO 1TB 1000.2 GB
    PSU
    ASUS Power Brick 180W
    Case
    Laptop Case with Dual Fan
    Cooling
    Dual Fans Design with Self-Cleaning Cooling
    Keyboard
    Asus Aura RGB with Overstroke technology
    Mouse
    ROG SICA Gaming Mouse
    Internet Speed
    100Mbps FiberOptic [100 Mbps Down - 50 Mbps Up]
    Browser
    Chrome/Firefox/Tor
    Antivirus
    Symantec Endpoint Protection with Windows Defender (Active Mode) + Custom DNS Server
    Other Info
    CPU with -15 Curve Optimizer all cores and -50 Cure optimizer on iGPU
    BCLK OC to 101.6Mhz
    Benchmark Scores:-
    CineBench R23 Single core:- 1290 points
    CineBench R23 Multi core:- 11111 points
Akeo said:
Now, if you are dealing with an already installed Windows 11 24H2, and have gone through KB5025885, then your version of Windows should boot from CA 2023 signed bootloaders and CA 2011 should be revoked. But then good luck reinstalling Windows from scratch from a 24H2 ISO with Secure Boot on.
Click to expand...
I think all you would need to do is clear the secure boot keys then you could install with secure boot on.

250724190153.webp
 

My Computer

System One

  • OS
    Windows 11 Pro
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom