Every Secure Boot-enabled Windows PC has relied on a set of cryptographic certificates issued by Microsoft back in 2011 to ensure the integrity of its boot process. These certificates, embedded in the motherboard’s firmware, have remained largely unnoticed by users until now. However, a significant change is on the horizon: on June 24, 2026, the first of these certificates will expire. While this won’t immediately prevent your PC from booting or receiving regular updates, it will hinder the ability to receive future security updates for critical components of the Windows startup process.
Microsoft has initiated the rollout of replacement certificates through Windows Update, but this is not a straightforward patch. It necessitates collaboration between Microsoft, your PC’s manufacturer, and potentially you. Microsoft has characterized this as one of the most extensive coordinated security maintenance efforts across the Windows ecosystem, a claim that resonates with those familiar with past Secure Boot challenges.
Secure Boot’s trust chain is built on certificates that were never meant to last forever
To grasp the implications of this situation, one must understand the mechanics of Secure Boot. It operates as a chain of trust—a hierarchy of cryptographic certificates housed within the UEFI firmware of your motherboard. This chain validates every piece of software that runs before the operating system loads. If any link in this chain becomes compromised or expires, the entire system’s protective capabilities diminish.
At the apex of this hierarchy is the Platform Key (PK), owned by your PC’s manufacturer. Below the PK lies the Key Exchange Key (KEK), which authorizes updates to the Signature Database (DB) and the Forbidden Signature Database (DBX). The DB contains certificates that your PC trusts to sign bootloaders and drivers, while the DBX serves as a blocklist for known malicious software. Secure Boot checks each component against these databases before Windows even starts, making it a potent security mechanism.
However, three critical certificates in this chain are set to expire: the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011 in June 2026, followed by the Microsoft Windows Production PCA 2011 in October 2026. Once expired, these certificates will no longer validate new updates, effectively freezing your system’s security measures as of the expiration date.
The replacement certificates split things up for a reason
The replacement certificates introduced in 2023 are not merely a direct swap; Microsoft has restructured their functionality. The original Microsoft Corporation UEFI CA 2011 had a broad trust mandate, signing everything from third-party bootloaders to firmware components. This expansive trust model posed risks, as compromising one element could have unpredictable consequences across the ecosystem.
The new structure delineates responsibilities more clearly. The Microsoft Corporation KEK 2K CA 2023 replaces the KEK, authorizing updates to the DB and DBX. The Windows UEFI CA 2023 is designated for signing Windows bootloader components, while a separate Microsoft Option ROM UEFI CA 2023 is dedicated to third-party option ROMs and add-in card firmware. This separation enhances the granularity of Secure Boot’s trust model, a change that was overdue but necessitated by the expiration of the original certificates.
Recent vulnerabilities, such as BlackLotus, underscore the importance of boot-level security. Discovered in 2023, this UEFI bootkit managed to bypass Secure Boot on fully updated Windows 11 systems, exploiting weaknesses that allowed attackers to substitute secure bootloaders with older, vulnerable versions. Such breaches highlight the critical nature of maintaining a secure boot chain, as an attacker with access at this level can compromise the entire system.
Not every PC is in the same boat
Fortunately, not all PCs face the same fate. Copilot+ PCs and most devices manufactured since 2024 already come equipped with the new 2023 certificates. If you’ve purchased a new PC in the last year or two, you’re likely in the clear. However, the majority of Windows PCs currently in use will require updates.
Microsoft is gradually rolling out the new certificates via Windows Update for supported systems. For home users on Windows 11 with Microsoft-managed updates, this process should occur automatically. In the coming months, users will be able to track certificate update status through the Windows Security app.
For enterprise environments, the process is more complex. IT administrators must enable the necessary diagnostic data levels and opt-in via registry keys. Microsoft provides multiple deployment methods, indicating the diverse environments they aim to support. However, the update process hinges on the OEM providing a firmware update first, which prepares the UEFI environment for the new certificates. Without this step, applying the certificate update could lead to complications.
Windows 10 users are in an especially tough spot
Windows 10 users face a particularly challenging situation. With Microsoft ending support for Windows 10 in October 2025, devices running unsupported versions will not receive the new Secure Boot certificates. Unless enrolled in Extended Security Updates, which come with their own limitations, Windows 10 machines will not receive the necessary updates.
Microsoft recommends upgrading to a supported version of Windows, typically Windows 11. However, the stringent hardware requirements for Windows 11 have left many users with older, functional PCs unable to upgrade. This predicament leaves a significant number of users without a clear path forward, as they find themselves stuck between outdated software and hardware limitations.
What you should actually do right now
For home users, ensuring that your PC is set to receive Windows updates automatically is crucial. Check with your manufacturer for any available BIOS or firmware updates and install those before allowing Windows Update to proceed. Keep an eye on the Windows Security app for notifications regarding certificate status.
For enterprise environments, the urgency is heightened. Microsoft advises checking the Secure Boot certificate rollout landing page for the latest guidance. Begin by verifying the “UEFICA2023Status” registry key and ensure that OEM firmware updates are applied across all devices prior to the Windows certificate update. Microsoft is also hosting sessions to address Secure Boot management, which can be beneficial for those overseeing multiple devices.
The deadline for these updates is non-negotiable. With the first certificate expiration looming on June 27, 2026, and the subsequent one in October, the need for proactive measures is clear. While your PC may not cease to function immediately, the risk of entering a “degraded security state” is a concern that should not be taken lightly. The integrity of the boot chain is paramount, as it underpins the security of everything that follows.