Every Secure Boot-enabled Windows PC you've used for the last decade has relied on the same set of cryptographic certificates to keep its boot process secure. Those certificates were issued by Microsoft back in 2011, and they're the reason your computer can verify that the software loading before Windows starts is legitimate and hasn't been tampered with. They're baked into your motherboard's firmware, and most people have never had a reason to think about them. That's about to change.
On June 24, 2026, the first of these certificates expires, and if your PC isn't updated in time, it won't suddenly stop booting, and it'll even still receive regular updates, but it will lose the ability to receive future security updates for some of the most sensitive parts of the Windows startup process. Microsoft has started rolling out replacements through Windows Update, but this isn't a simple patch. It requires coordination between Microsoft, your PC's manufacturer, and in some cases, you. Microsoft itself has called this one of the largest coordinated security maintenance efforts across the Windows ecosystem, and having dealt with Secure Boot issues in the past, I can tell you that's not an exaggeration.
Secure Boot's trust chain is built on certificates that were never meant to last forever
Certificates never do
To understand why this matters, you need to understand how Secure Boot actually works under the hood. It's not a toggle in your BIOS settings, even though that's where most people first encounter it. Secure Boot is a chain of trust, a hierarchy of cryptographic certificates stored in your motherboard's UEFI firmware that validates every piece of software that runs before your operating system loads. If any link in that chain is broken or expired, the whole system's ability to protect itself degrades.
At the top of that chain is the Platform Key, or PK. This is owned by your PC's manufacturer, be it Dell, Lenovo, HP, ASUS, or whoever built the board. The PK is the root of trust, and it authorizes changes to everything below it. Below the PK sits the Key Exchange Key, or KEK. Microsoft's KEK certificate is what gives Windows the authority to update the next layer down: the Signature Database, known as the DB, and the Forbidden Signature Database, the DBX.
The DB contains the certificates that your PC trusts to sign bootloaders, drivers, and firmware components. Think of it as the guest list for your boot process. The DBX is the blocklist, containing signatures of known-bad software that should never be allowed to run during boot. When your PC starts up, Secure Boot checks everything against these databases. If a bootloader is signed by a certificate in the DB, it runs. If it matches something in the DBX, it gets blocked. This happens before Windows even loads, which is what makes it so effective as a security mechanism, and so dangerous when it goes wrong.
Here's the problem: three of the certificates in this chain are expiring. The Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011 both expire in June 2026. The Microsoft Windows Production PCA 2011, which signs the Windows bootloader itself, expires in October 2026. Once they expire, your PC can't use them to validate new updates, and it can't apply new security mitigations to the boot process. You're effectively frozen in time, running whatever protections you had as of the expiration date, with no way to add new ones.
The replacement certificates split things up for a reason
It's safer that way
The 2023 replacement certificates aren't a one-for-one swap. Microsoft has actually restructured how the certificates work, and it's worth understanding why. The original Microsoft Corporation UEFI CA 2011 signed everything, including third-party bootloaders, option ROMs for add-in cards like graphics cards and network adapters, and various firmware components. That was a broad trust grant, and it meant that compromising one part of the ecosystem could ripple outward in ways that were hard to predict.
The new structure separates these responsibilities. There's the Microsoft Corporation KEK 2K CA 2023, which replaces the KEK and authorizes DB and DBX updates, the Windows UEFI CA 2023 for signing Windows boot loader components, and then there's a separate Microsoft Option ROM UEFI CA 2023 specifically for third-party option ROMs and add-in card firmware. This separation means systems that don't need to trust option ROMs don't have to, which is a genuine improvement in how granular Secure Boot's trust model can be. It's the kind of change that should have happened years ago, but the original certificates had to expire first to force the transition.
If this all sounds like fear mongering, consider BlackLotus. Discovered in 2023, BlackLotus was the first UEFI bootkit to bypass Secure Boot on fully updated Windows 11 systems. It exploited CVE-2022-21894, known as Baton Drop, and CVE-2023-24932, which came about as an attempt to protect against BlackLotus. These were vulnerabilities that let attackers swap a modern, secure bootloader with an older, vulnerable one that was still trusted by the system's certificates. The attack took advantage of the fact that Secure Boot's DBX hadn't been updated to revoke those older boot managers, a failure that traces directly back to the complexity of managing certificate-based trust at the firmware level.
Once loaded, BlackLotus could disable BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender, all before the operating system even started. It ran at the firmware level, invisible to antivirus software. If you've ever wondered why boot-level security matters, this is exactly why. An attacker with access to your boot chain can effectively own your entire system, and no amount of endpoint protection running inside Windows can do anything about it.
Microsoft has been working on revoking the vulnerable boot managers ever since, but updating Secure Boot's DBX to block those old bootloaders has been painfully slow, precisely because getting it wrong can make a system unbootable, and Microsoft has even acknowledged this directly. HP, for example, had a firmware bug that could prevent systems from booting entirely after applying certain Secure Boot revocations, which meant Microsoft had to add device-specific checks before rolling out the mitigations.
The expiring certificates make this worse. Without updated certificates, your PC can't receive the revocations needed to block exploits like BlackLotus. You're stuck with a boot process that trusts software it shouldn't, and there's no mechanism to fix it after the fact. Microsoft has explicitly noted that the updated 2023 certificates are the latest security measure to address the BlackLotus vulnerability, making this a security fix that's been three years in the making.
Not every PC is in the same boat
Copilot+ PCs are safe
Copilot+ PCs and most devices manufactured since 2024 already ship with the new 2023 certificates installed, and almost all devices shipped in 2025 include them too. If you bought a new PC in the last year or two, you're probably set. For everyone else, which is most Windows PCs in active use today, the update needs to happen.
Microsoft has started rolling out the new certificates through regular Windows Update on supported systems. For home users on Windows 11 with Microsoft-managed updates, this should happen automatically through the monthly update cycle. Microsoft is rolling this out gradually, expanding based on diagnostic data from devices to make sure updates are safe before pushing them more broadly. In the coming months, certificate update status will also appear in the Windows Security app, which should make it easier for consumers to track.
But for enterprise environments, it's more involved. IT administrators need to enable at least the "required" level of Windows diagnostic data so Microsoft can check whether a device is ready for the update. There's also a registry key to opt in: the path is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot, with a DWORD value called "MicrosoftUpdateManagedOptIn" set to any non-zero value. Beyond that, Microsoft is offering four different deployment methods: Intune, Group Policy, registry keys, and the Windows Configuration System API, which tells you something about how varied the environments they're trying to support are. This isn't a one-click fix for anyone managing a fleet of devices.
Here's the catch, though: Microsoft's update alone isn't enough. Your PC's OEM needs to provide a firmware update first. That firmware update is what updates the Platform Key and prepares the UEFI environment to accept the new certificates. Without it, applying the certificate update through Windows could fail or, in a worst case, cause boot issues. Microsoft has been working closely with OEMs on this, and many have published their own guidance pages, but not every OEM is providing firmware updates for older hardware. If your PC is more than five or six years old, there's a real chance your manufacturer has moved on, and you may be stuck with expiring certificates and no path forward.
Windows 10 users are in an especially tough spot
The final death knell for 10
There's one group that's particularly affected by this, and it's a big one: Windows 10 users. Microsoft ended support for Windows 10 in October 2025, and devices running unsupported versions of Windows don't receive Windows updates at all. That means they won't receive the new Secure Boot certificates. Unless you've enrolled in Extended Security Updates (which has its own costs and limitations), your Windows 10 machine will simply never get the 2023 certificates through normal channels.
Microsoft's official recommendation is to upgrade to a supported version of Windows, which for most people means Windows 11. But that's not always an option. Windows 11's hardware requirements, particularly the TPM 2.0 requirement, locked out millions of otherwise perfectly functional PCs, even if there are workarounds. So you may have a machine that's too old for Windows 11 but still running Windows 10, and now it's also too old to get updated Secure Boot certificates. These problems stack on top of each other, and there's no clean answer for those users.
The affected systems also extend beyond physical desktops and laptops. Virtual machines running on VMware, Hyper-V, and Azure are all subject to the same certificate expiration. Microsoft has published separate guidance for Windows Server, Windows 365, and Azure Virtual Desktop, each with their own deployment considerations. If you're running Secure Boot-enabled VMs, and you should be, those need the certificate update too.
What you should actually do right now
Try update what you can
If you're a home user, make sure your PC is set to receive Windows updates automatically and that you're running a supported version of Windows. Check with your PC's manufacturer for any available BIOS or firmware updates and install those first. After that, let Windows Update do its thing. Keep an eye on the Windows Security app for certificate status notifications as Microsoft rolls those out.
If you're managing devices in an enterprise, this is a lot more urgent. Microsoft recommends checking the Secure Boot certificate rollout landing page for more up-to-date guidance. Start by checking the "UEFICA2023Status" registry key to track deployments, and apply OEM firmware updates across all of your devices before the Windows certificate update lands. Microsoft is also hosting an Ask Microsoft Anything session on March 12 specifically about Secure Boot, which is worth attending if you're managing a lot of devices.
The deadline isn't flexible. June 27, 2026 is when the first certificates expire, and October 2026 follows close behind. Your PC won't brick itself on that date, but every day after it without updated certificates is a day your boot process is less secure than it should be. Microsoft has described this as entering a "degraded security state," and given what BlackLotus demonstrated, that's not a risk worth sitting on. The boot chain is the one place where security has to work, because everything else that comes after depends on it.
English (US) · 
