Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
Hazel123 said:
I'm a bit confused with it all. I have the 2011. So they need revoking? And how do you get more up to date ones?
Click to expand...
You can download Rufus and pick up the Optional Mosby with the download. When you boot the Rufus USB stick, you follow the Mosby instructions and it'll generate the 2023 keys and install them in your UEFI BIOS.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
gunrunnerjohn said:
You can download Rufus and pick up the Optional Mosby with the download. When you boot the Rufus USB stick, you follow the Mosby instructions and it'll generate the 2023 keys and install them in your UEFI BIOS.
Click to expand...
Thank you. Surely Microsoft should be sorting this with updates? I mean most people wouldn't have a clue about this stuff!
 

My Computers

System One System Two

  • OS
    Windows 11 Home 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 14-ce3606sa
    CPU
    Core i5-1035G1
    Memory
    32gb
    Hard Drives
    Samsung 870 evo sata ssd
    Cooling
    Could be better
    Internet Speed
    50 mbps Starlink
    Browser
    Firefox
    Other Info
    Originally came installed with a 500gb H10 Optane ssd
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion ce3606sa
    CPU
    Intel Core i5-1035G1
    Memory
    16gb
    Hard Drives
    Hynix Gold P31 2TB
    Internet Speed
    200mbps Starlink
    Browser
    Firefox
    Antivirus
    Defender
Akeo said:
Then can you post the screens you got from Mosby. Coz if there was any issue during the install process, and especially during the installation of the 2023 CA certs, Mosby should have warned you about it and on all the systems I tested, the 2023 CA certs were properly installed.

Without seeing the exact output you got from Mosby, it's going to be very difficult to troubleshoot what your issue might be.
Click to expand...
I'm trying to get the keys installed on a Nimo laptop now, and it's resisting. Mosby says I'm not in Setup Mode, but I've tried every iteration of doing the Reset To Setup Mode and I never get past that error.

1753560930265.webp

I pick Reset to Setup Mode on this screen

1753560689051.webp

I get this prompt and answer Yes.

1753560735520.webp

At this screen, I've answered both Yes and No and get the same result once I reboot and try Mosby again. I didn't know exactly what they were saving, so I answered yes once and no once, but neither answer seemed to do the trick.

1753560781210.webp

When I go to Key Management, I get this screen. Note that Reset To Setup Mode is black, and I can't select it as I'm presuming I'm already in reset mode. Note that it was blue on the other screen when I was able to select it.

1753560827934.webp

Once I reboot, I try Mosby again (booting with Rufus), and I get this same error with a new attempt count.

1753561137071.webp


If I'm doing something wrong, I sure don't know what it is! :unsure:
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Hazel123 said:
I'm a bit confused with it all. I have the 2011. So they need revoking? And how do you get more up to date ones?
Click to expand...

You do not need to manually revoke these certificates. These people won't actually solve the problem of failure when you follow these steps.

Microsoft will automatically complete these processes without the user having to follow very unclear instructions.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
In addition to OEMs, many motherboard manufacturers, such as GIGABYTE, ASUS, MSI and ASRock, have included the new certificate in their recent BIOS firmware without requiring users to take additional steps.
KevTech said:
What failure is that?
Click to expand...

See #163 for an example.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
KevTech said:
What failure is that?
Click to expand...
The one I'm thinking of is that If something was to go wrong a user might find that their computer won't boot. How does one fix their computer or would they have to keep Secure Boot turned off?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec B746
    CPU
    Intel Core i7-10700K
    Motherboard
    ASRock Z490 Phantom Gaming 4/ax
    Memory
    16GB (8GB PC4-19200 DDR4 SDRAM x2)
    Graphics Card(s)
    NVIDIA GeForce GTX 1050 TI
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    #1. LG ULTRAWIDE 34" #2. AOC Q32G2WG3 32"
    Screen Resolution
    #1. 3440 X 1440 #2. 1920 x 1080
    Hard Drives
    NVMe WDC WDS100T2B0C-00PXH0 1TB
    Samsung SSD 860 EVO 1TB
    PSU
    750 Watts (62.5A)
    Case
    PowerSpec/Lian Li ATX 205
    Keyboard
    Logitech K270
    Mouse
    Logitech M185
    Browser
    Microsoft Edge and Firefox
    Antivirus
    Webroot SecureAnywhere CE 26.1
  • Operating System
    Windows 11 Canary Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec G156
    CPU
    Intel Core i5-8400 CPU @ 2.80GHz
    Motherboard
    AsusTeK Prime B360M-A
    Memory
    16 MB DDR 4-2666
    Monitor(s) Displays
    23" Speptre HDMI 75Hz
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 970 EVO 500GB NVMe
    Keyboard
    Logitek K270
    Mouse
    Logitek M185
    Browser
    Firefox, Edge and Edge Canary
    Antivirus
    Windows Defender
You would temporarily disable Secure Boot. Run something like my PS script. Figure out what certs you have allowed (DB), and which ones you have banned (DBX). Then the script informs if your boot file is trusted by that combination.

Follow the somewhat vague MS instructions on copying a newer version of the boot file from one folder to another. Re-run the script to confirm the boot file is allowed. Now return to BIOS and re-enable Secure Boot.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
You would temporarily disable Secure Boot. Run something like my PS script. Figure out what certs you have allowed (DB), and which ones you have banned (DBX). Then the script informs if your boot file is trusted by that combination.

Follow the somewhat vague MS instructions on copying a newer version of the boot file from one folder to another. Re-run the script to confirm the boot file is allowed. Now return to BIOS and re-enable Secure Boot.
Click to expand...
Think I'll wait for MS to fix it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec B746
    CPU
    Intel Core i7-10700K
    Motherboard
    ASRock Z490 Phantom Gaming 4/ax
    Memory
    16GB (8GB PC4-19200 DDR4 SDRAM x2)
    Graphics Card(s)
    NVIDIA GeForce GTX 1050 TI
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    #1. LG ULTRAWIDE 34" #2. AOC Q32G2WG3 32"
    Screen Resolution
    #1. 3440 X 1440 #2. 1920 x 1080
    Hard Drives
    NVMe WDC WDS100T2B0C-00PXH0 1TB
    Samsung SSD 860 EVO 1TB
    PSU
    750 Watts (62.5A)
    Case
    PowerSpec/Lian Li ATX 205
    Keyboard
    Logitech K270
    Mouse
    Logitech M185
    Browser
    Microsoft Edge and Firefox
    Antivirus
    Webroot SecureAnywhere CE 26.1
  • Operating System
    Windows 11 Canary Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec G156
    CPU
    Intel Core i5-8400 CPU @ 2.80GHz
    Motherboard
    AsusTeK Prime B360M-A
    Memory
    16 MB DDR 4-2666
    Monitor(s) Displays
    23" Speptre HDMI 75Hz
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 970 EVO 500GB NVMe
    Keyboard
    Logitek K270
    Mouse
    Logitek M185
    Browser
    Firefox, Edge and Edge Canary
    Antivirus
    Windows Defender
uncyler825 said:
In addition to OEMs, many motherboard manufacturers, such as GIGABYTE, ASUS, MSI and ASRock, have included the new certificate in their recent BIOS firmware without requiring users to take additional steps.
Click to expand...

Yes the new cert is there but 2011 is not revoked so you are still at risk.
 

My Computer

System One

  • OS
    Windows 11 Pro
KevTech said:
Yes the new cert is there but 2011 is not revoked so you are still at risk.
You seem like you really do not know what the hell you are talking about.
Click to expand...

You are also at risk, there are still many vulnerabilities undiscovered in Windows or firmware.

The risk is not the user's fault. You need to know that no software, firmware and system is Zero vulnerabilities.
 
Last edited:

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
KevTech said:
Follow what is on the microsoft site instead of trying to use mosby.
Mosby is not the official way to do this.
Click to expand...

You need to be aware that there are vague non-MS instructions in this or other communities on how to do these steps manually.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I have SecureBoot turned off anyway
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64 24H2 v26200.5074
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built Myself in 2025
    CPU
    AMD Ryzen 9 3600X 12-Core @ 3.80GHz
    Motherboard
    MSI X570 Gaming Plus
    Memory
    Corsair 32GB DDR4
    Graphics Card(s)
    EVGA GeForce gtx 1660 Super
    Sound Card
    On Board
    Monitor(s) Displays
    2 X AOC 27" , Dell 27"
    Screen Resolution
    1920 X 1080
    Hard Drives
    ~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~ P34A60 512GB NVMe PCIe Gen3x4 M.2
    ~ 6TB Toshiba HDD
    ~ 6TB HDD (Backup)
    ~ SanDisk 250GB SSD
    ~ 2 X 1TB HDD
    ~~~~~~~~~~
    PSU
    eVGA 750w G+
    Case
    GAMDIAS White ATX Mid Tower Gaming Computer PC Case w/Tempered Glass
    Cooling
    AMD Wraith Prism
    Keyboard
    Nulea RT05 Wireless Ergonomic
    Mouse
    Nulea MD280 Wireless Vertical Mouse
    Internet Speed
    761Mbps (Download) / 692Mbps (Upload)
    Browser
    Firefox
    Antivirus
    Malwarebytes
    Other Info
    *This is my Main Computer That I use*
  • Operating System
    Windows 11 Pro x64 24H2 v26100.2894
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 7 1800X @ 3.60Ghz
    Motherboard
    Asus Crosshair VI Hero
    Memory
    16GB
    Graphics card(s)
    AMD RX580
    Sound Card
    onBoard
    Monitor(s) Displays
    LG 27UK650-W 27", eMachine 22"
    Screen Resolution
    1920 X 1080
    Hard Drives
    250GB SSD
    PSU
    CORSAIR RM850
    Case
    GAMDIAS Black ATX Mid Tower Gaming Computer PC Case w/Tempered Glass
    Cooling
    Liquid
    Keyboard
    Nulea RT05 Wireless Ergonomic
    Mouse
    Nulea MD280 Wireless Vertical Mouse
    Internet Speed
    752Mbps (Download) / 537Mbps (Upload)
    Browser
    Firefox
    Antivirus
    Malwarebytes
    Other Info
    I use this computer for photo/video editing and to track severe weather
Wait till MS shove it down to our throats by force, and once that happens, all 3rd party isos/tools/programs will be also be forced to update the cert of there own boot files as well. So... don't worry :wink: worst case scenario? Just turn off Secure Boot in your BIOS.
 

My Computer

System One

  • OS
    Win11 Insider[Always the latest Dev/Beta releases]
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming FA506IU Laptop
    CPU
    AMD Ryzen 7 4800H with Radeon Graphics
    Motherboard
    AMD K17.6 FCH, AMD K17.6 IMC
    Memory
    G.SKILL [Samsung Die] DRR4 - 3200Mhz CL18 (18-19-19-36) - 32GB(16GBx2)
    Graphics Card(s)
    nVidia GTX 1660ti GDDR6 6GB(90W) 2.02Ghz Core & +548Mhz Mem-OC'ed [VBIOS Unlocked]
    Sound Card
    Realtek ALC256 @ AMD K17.6
    Monitor(s) Displays
    LM156LF-2F03 144HZ with Adaptive SYNC
    Screen Resolution
    1920x1080 - 144Hz
    Hard Drives
    WDC PC SN530 SDBPNPZ-256G-1002 + SHGP31-500GM-2 + ST1000LM035-1RK172 + Samsung SSD 870 QVO 1TB 1000.2 GB
    PSU
    ASUS Power Brick 180W
    Case
    Laptop Case with Dual Fan
    Cooling
    Dual Fans Design with Self-Cleaning Cooling
    Keyboard
    Asus Aura RGB with Overstroke technology
    Mouse
    ROG SICA Gaming Mouse
    Internet Speed
    100Mbps FiberOptic [100 Mbps Down - 50 Mbps Up]
    Browser
    Chrome/Firefox/Tor
    Antivirus
    Symantec Endpoint Protection with Windows Defender (Active Mode) + Custom DNS Server
    Other Info
    CPU with -15 Curve Optimizer all cores and -50 Cure optimizer on iGPU
    BCLK OC to 101.6Mhz
    Benchmark Scores:-
    CineBench R23 Single core:- 1290 points
    CineBench R23 Multi core:- 11111 points
KevTech said:
I then took that bootmgfw_2023.efi renamed it to bootx64.efi then replaced the bootx64.efi file on USB "drive:\efi\boot\bootx64.efi" with the updated file.
I can boot Macrium or Terabyte recovery media with secure boot on and the Windows Production PCA 2011 revoked.
Click to expand...

Apparently you did not fully follow Microsoft's instructions to update your Windows bootable media. If you correctly update Windows bootable media, the boot.wim will be applied instead of just replacing "bootx64.efi" file.

Updating Windows bootable media to use the PCA2023 signed boot manager - Microsoft Support

support.microsoft.com support.microsoft.com
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
THEBOSS619 said:
all 3rd party isos/tools/programs will be also be forced to update the cert of there own boot files as well.
Click to expand...

All I did was replace the bootx64.efi file on macrium, Terabyte and other bootable removal drives with the new file.
They all boot just fine with secure boot on and the 2011 revoked.

www.elevenforum.com

Act now: Secure Boot certificates expire in June 2026

UPDATE: https://www.elevenforum.com/t/updating-microsoft-secure-boot-keys-before-expiration-in-june-2026.22477/ Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating...
www.elevenforum.com www.elevenforum.com
 

My Computer

System One

  • OS
    Windows 11 Pro
uncyler825 said:
Apparently you did not fully follow Microsoft's instructions to update your Windows bootable media. If you correctly update Windows bootable media, the boot.wim will be applied instead of just replacing "bootx64.efi" file.
Click to expand...
Microsoft are talking about Windows disks to install or recovery the OS on that page not Macrium and other bootable disks that have their own boot.wim created when you create the disk.
All you need to replace is the revoked cert.
 

My Computer

System One

  • OS
    Windows 11 Pro
So far I've seen no accurate data on how many users have been affected by the Black Lotus/Secure Boot vulnerability. ChatGpt reckons there is no hard data on this.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 3107
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC: Cambridge Audio DACMagic200M - Headphone Amp: Topping L50
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate Expansion 16TB external - USB 3.2
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Incase Ergonomic USB (Microsoft clone)
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 26.1.1
    Hasleo Backup Suite
    Dashlane password manager
    Kensington Verimark fingerprint reader
    Logitech Brio 4K webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Mouse
    Logitech MX Ergo Trackball
    Antivirus
    Bitdefender Total Security
    Other Info
    720p Webcam
    WiFi & USB to ethernet
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom