certificate update

Microsoft has begun rolling out the Secure Boot 2023 certificate update to eligible Windows 11 and Windows 10 PCs ahead of the expiration of the Microsoft Corporation KEK CA 2011 on June 24, 2026. This update enhances device targeting data for automatic Secure Boot certificate updates. Secure Boot is a firmware-level security feature that verifies digital signatures of boot components to prevent rootkits and bootkits. The certificates for Secure Boot were first issued in 2011, with subsequent expirations for related certificates occurring in June and October 2026. Users can check their Secure Boot certificate status through the Windows Security app or System Information. If a PC does not receive the update, it will still boot normally but will lose the ability to receive future boot-level security updates. Multiple restarts after updates are expected due to the Secure Boot certificate process. A new folder, C:WindowsSecureBoot, is not malware but is used for staging cryptographic certificate files. Windows 10 users enrolled in the Extended Security Updates program will also receive the Secure Boot update, while those not enrolled will not. The expiration of the KEK CA 2011 means Microsoft will not be able to sign new Secure Boot revocation payloads using the old key, but existing signed payloads will remain functional.