Some Secure Boot certificates used on Windows devices begin to expire as of June 2026. Microsoft is replacing old certificates issued in 2011 with new certificates dated 2023. The update process will proceed automatically via Windows Update for most users, but additional processing may be required on some older systems, corporate devices, servers, virtual machines and computers that need firmware support. Secure Boot is used as a security layer that allows only trusted software and components to run when the computer is turned on.
The system verifies the bootloader, firmware drivers and other early boot components with digital certificates held within the UEFI firmware. This structure is especially critical against bootkit-type malware that can be activated before the operating system is loaded. Why are Secure Boot certificates renewed? Microsoft’s Secure Boot certificates, dated 2011, which have been used for a long time in the Windows ecosystem, are now reaching the end of their useful life.
Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 certificates will expire in June 2026, and the Microsoft Windows Production PCA 2011 certificate will expire in October 2026. These certificates play different roles in the Secure Boot chain. The KEK side is used to sign DB and DBX updates, and the certificates on the DB side are used for Windows bootloader, third-party bootloader components, EFI applications and option ROMs.
This change does not mean that computers will not be turned on en masse in June 2026. Microsoft states that devices that have not been updated will continue to operate normally for a while. However, devices that do not receive new certificates will not receive the protections published against Windows Boot Manager, Secure Boot databases, revocation lists and new vulnerabilities at the boot level over time. This will make the device more vulnerable to attacks, especially those that come into play before the operating system starts.
Microsoft is gradually distributing the new certificates dated 2023 to supported Windows systems via Windows Update. Many Windows computers produced since 2024 come with these new certificates. On other devices, the process progresses with Windows monthly updates and BIOS/UEFI firmware updates offered by manufacturers. In some systems, it may be necessary to first install the device manufacturer’s firmware update for the new Secure Boot certificates to be implemented without any problems.
The first thing to do for home users is to make sure that Windows Update is turned on and updates are not paused. Microsoft says the new 2023 certifications for supported Windows 10 and Windows 11 Home, Pro or Education systems will arrive via regular Windows Update channels. On the Windows 10 side, the situation is more limited. Since general support for Windows 10 ends on October 14, 2025, users who want to continue receiving security updates, including Secure Boot, must participate in the Extended Security Updates program.
Users can check the Secure Boot status from two different places. The first method is to enter the Device security section in the Windows Security application and look at the Secure Boot status. Starting in April 2026, Microsoft added additional information to the Windows Security app that shows Secure Boot certificate update status. Here, the green sign indicates that the device has adequate protection, the yellow warning sign indicates that there is a recommended action, and the red sign indicates that there is a situation that requires urgent attention.
However, just seeing a green sign alone does not prove that the certificates have been updated; the text indicating that the necessary certificate updates have been applied must also appear on the screen. The second method is to check on the System Information screen. When you press the Windows R keys and type msinfo32, the Secure Boot State line can be seen in the window that opens. Secure Boot is expected to be turned on here.
If Secure Boot is turned off, Windows cannot update active Secure Boot certificate variables. Microsoft recommends not turning off Secure Boot if it is turned on; because this setting may cause updated certificates to be reset in some systems. On the corporate side, the table is wider. Systems such as physical devices, virtual machines, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2 are also affected by the Secure Boot certificate change.
Microsoft recommends that IT administrators take inventory, monitor the UEFICA2023Status registry value, pilot deployment on small and representative groups of devices, and avoid mixing different deployment methods on the same device. There are deployment options via Intune, registry keys, Windows Configuration System and Group Policy. Device manufacturers also play a critical role in this transition. Microsoft has compiled Secure Boot support pages for Acer, ASUS, Dell, HP, Lenovo, LG, MSI, Microsoft Surface, and many other manufacturers in one place.
On the server side, Dell, Cisco, HPE, Lenovo, VMware/Broadcom and other manufacturers also have separate guidelines. Especially on old motherboards, custom firmware configurations, servers and managed device fleets, manufacturer firmware updates can be decisive for the healthy completion of the process. The update process also has some side effects. Microsoft states that on a small number of devices, after obtaining new certificates, situations such as the system not starting or the BitLocker recovery screen appearing may occur.
Therefore, it is important to ensure that BitLocker recovery keys are accessible, especially on corporate devices, to create a test group before deploying firmware updates, and to centrally monitor Secure Boot status.
Comments
You can write your views about this story. Comments may be moderated according to site settings.