Microsoft’s Secure Boot certificates, which have been a cornerstone of system security for over a decade, are set to undergo a significant transition as they approach the end of their 15-year lifespan. The first of these certificates, the Microsoft Corporation KEK CA 2011, will reach its expiration on June 24, 2026. While machines will not face immediate failure upon missing the replacement certificates, they will gradually lose access to critical security updates that protect against boot-level threats.
What expires first
The expiration timeline is clear, with three original certificate lines scheduled to expire in 2026: the Microsoft Corporation KEK CA 2011 on June 24, the Microsoft UEFI CA 2011 on June 27, and the Microsoft Windows Production PCA 2011 on October 19. The new certificates, issued in 2023, will replace these older trust anchors and include distinct certificates for third-party UEFI bootloaders and option ROMs.
The significance of the June 24 date lies in the role of the KEK, which is responsible for signing updates to the Secure Boot databases that dictate which components are allowed or disallowed during the boot process. Devices lacking the updated certificates will still boot and receive standard Windows updates, but they will gradually lose access to enhanced early-boot protections.
What June 24 does not do
During a recent Ask Microsoft Anything session, engineer Scott Shell clarified that June 24 does not mark a definitive cutoff for the manual rollout of updates. Existing payloads signed under the old certificates will continue to function. However, the ability to sign new disallowed signature database (DBX) payloads with the old KEK will be lost. This means that while machines will continue to operate, their capacity to receive future revocations of compromised bootloaders will diminish, potentially leading to vulnerabilities that may not be apparent until a new threat emerges.
Why boot-level trust matters
Secure Boot serves as a vital gatekeeper, verifying pre-boot software against trusted certificates before the operating system takes control. This layer of security is crucial as it precedes most endpoint security measures. Historical incidents, such as bootkits and UEFI rootkits, underscore the importance of maintaining a robust boot-level trust. Notable threats like LoJax and MosaicRegressor have demonstrated how attackers can exploit vulnerabilities at this early stage, making the integrity of Secure Boot paramount.
The LogoFail reminder
The urgency surrounding Secure Boot updates is not solely due to the aging certificates. The recent discovery of LogoFail vulnerabilities, which exploit logo image parsers during the firmware boot process, highlights the ongoing risks. Although rotating Secure Boot certificates does not directly address these vulnerabilities, it provides a refreshed trust base for future security measures and revocations.
What ordinary users should do
For the majority of Windows 10 and Windows 11 users operating on supported systems, the recommended course of action is straightforward: ensure that Windows Update and firmware updates are kept current. Most devices managed by Microsoft will automatically receive the new certificates, although some may require updates from their manufacturers. Users can check their Secure Boot certificate status through the Windows Security app, where a green status indicates that the device is already updated.
Where enterprises get caught
For enterprises, the challenge lies in managing a diverse inventory of machines. Even devices sharing a model name may have different firmware versions or configurations, complicating the update process. Microsoft’s rollout system assesses these variables before applying Secure Boot certificate updates, which can lead to discrepancies in update status among seemingly identical devices. Administrators may need to employ tools like Intune or Group Policy to manage updates effectively, especially for machines with unique firmware variants or those that have Secure Boot disabled.
The phased expiration of these certificates means that while machines will continue to operate, the underlying trust framework will gradually weaken, potentially leaving them vulnerable to future threats. As the landscape of cybersecurity evolves, maintaining an up-to-date and secure boot environment becomes increasingly critical.
