Redmond, Washington
A countdown that began in 2011 has just ended for millions of laptops and desktops in the United States. June 24, 2026, is the official expiration date for the first of three Microsoft Secure Boot certificates. This change will affect how Windows computers check their security when they start up. Most home users and network administrators will not notice any immediate problems, as their computers will still start normally. However, there are important security issues happening behind the scenes that should not be ignored.
What the Microsoft Secure Boot Certificate Expiration Means for Your Machine
Microsoft Secure Boot certificate expiration is not an abstract IT event. It is the end of a cryptographic authority that has silently governed every Windows boot sequence since the first Obama administration. The certificate in question the Microsoft Corporation KEK CA 2011 is the Key Enrollment Key credential that authorized Windows Update to push new entries into a device’s Secure Boot allow list and deny list, the pair of databases that decide what software may or may not run before the operating system loads.
When the first certificate expires on June 24, 2026, a PC that does not get the automatic update will still start up and continue to receive regular Windows updates. However, it will no longer get security updates for some of the most important parts of the Windows startup process.
The second certificate, the Microsoft UEFI CA 2011 that signs third-party bootloaders, expires on June 27. The Microsoft Windows Production PCA 2011, which signs the Windows bootloader, will expire in October 2026. These three certificates have three deadlines, creating a growing security risk.
The Trust Anchor the World Forgot It Had
Firmware security professionals view this as a major event, not just routine maintenance, given the important role these 2011 certificates play in system security.
At the top of the Secure Boot chain sits the Platform Key, owned by the PC’s manufacturer Dell, Lenovo, HP, ASUS, or whoever built the board. The Platform Key authorizes changes to everything below it. Below that sits the Key Exchange Key, or KEK. Microsoft’s KEK certificate is what gives Windows the authority to update the Signature Database (the DB) and the Forbidden Signature Database (the DBX).
The DBX is where the risks become real. If malware such as the BlackLotus bootkit is detected, its signature is added to the DBX. This process, which tells every updated Windows computer to never trust that compromised bootloader again, depends completely on the KEK. If this system breaks down, new revocations cannot be delivered to the device. In the past, entries for threats like BlackLotus and BootHole have been added to the DBX. Even with Secure Boot enabled, the system will continue to start up, allowing attackers to install malicious software during boot.
A computer that misses the Trust Anchor updates does not show obvious problems. It keeps running, but it stops getting the latest security protections at the firmware level.
How the Windows Update Rollover Actually Works
Microsoft’s response to this expiration is an automated Windows Update rollover that replaces the aging 2011 certificates with new ones from 2023. This update is more complicated than a normal software patch because it changes cryptographic settings stored in the motherboard firmware, not just files on the hard drive.
Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source. This helps prevent malware from running early in the startup sequence of a Windows device.
This change does not happen all at once. Instead, it is a gradual process that will continue until October 2026. Microsoft has started rolling out the new 2023 certificates to existing devices through Windows Updates. Computers sold since early 2024 already have the 2023 certificates installed, which is helpful for organizations with newer hardware. However, this creates a risk for those with older devices.
The changes are more involved than simply replacing one certificate with another. The first Microsoft Corporation UEFI CA 2011 signed many things, including third-party bootloaders, option ROMs for add-in cards such as graphics and network adapters, and other firmware components. With the renewal, two separate certificates now handle bootloader signing and option ROM signing. This gives organizations more control over what their systems trust. For example, a system can add the Microsoft Option ROM UEFI CA 2023 to trust option ROMs without also trusting third-party bootloaders.
The Microsoft Secure Boot Certificate Expiration June 2026: Who Is Actually at Risk?
The Microsoft Secure Boot certificate’s June 2026 expiration creates a split population of Windows devices. For machines running Windows 11 that have received recent cumulative updates, the automated rollover should already be complete or in progress. The risk concentrates elsewhere.
Any computer made before 2024 needs to get this update. Older hardware that lacks manufacturer support may never receive it.
Enterprise environments encounter extra challenges. Many organizations set Windows Update configurations to delay or limit automatic updates, which is common for testing stability. Devices that do not obtain the 2023 certificates before the deadline will retain their current DB and DBX states upon KEK expiration. They will stay in that state until an OEM firmware update installs the new certificates.
The Available Updates registry key on a device is set to 0x4104. If it doesn’t clear the 0x0004 bit even after multiple restarts, the device doesn’t progress past deploying the new Key Enrollment Key (KEK) certificate. Network managers can check compliance status via PowerShell commands published at Microsoft’s dedicated resource hub, aka.ms/GetSecureBoot, where the registry value UEFICA2023Status is set to “updated” to confirm a successful transition.
BitLocker users have another issue to consider. When the certificate changes, systems sealed to PCR7 will need the BitLocker recovery key the first time they start up. If administrators have not already stored these recovery keys in Active Directory or Azure AD before the update, they may end up with locked devices and extra helpdesk requests.
The BlackLotus Problem: Why Frozen Security Is Not Static Security
The key point for both home users and IT managers is that firmware security is always changing. A computer stuck at its June 2026 DBX state will still start up and appear normal, but new threats will continue to appear.
BlackLotus, a UEFI bootkit that Microsoft started blocking in 2023, showed how dangerous an unrevokable bootloader exploit can be. It can survive even if the operating system is reinstalled, avoid detection by security tools that load after startup, and disable security features such as Secure Boot on vulnerable systems. As new threats emerge, a device stuck in this expired state will become increasingly insecure.
The NSA’s December 2025 cybersecurity information sheet issued a clear warning: having a TPM and using BitLocker do not mean Secure Boot is configured correctly. Most enterprise environments still use outdated or default settings. A locked hard drive and a verified boot process are two different defenses. The Microsoft Secure Boot certificate expiration event forces the enterprise community to confront the fact that many devices carry only the former.
What Network Managers and Home Users Should Do Now
For Windows devices that get updates directly from Microsoft, the Windows Update rollover to 2023 certificates is largely automatic. Verification remains the responsible step. Open Windows Security, go to Device Security, and make sure Secure Boot is active.
For IT-managed environments, more planning is needed. First, use the PowerShell tool at aka.ms/GetSecureBoot to find devices with 2011 certificates. Identify which machines need OEM firmware updates, prepare BitLocker recovery keys in advance, and plan the update process to avoid disrupting important or isolated systems.
Organizations that use Linux or dual-boot systems have another step to consider. The Red Hat Shim bootloader is signed by Microsoft with the UEFI CA 2011. After this certificate expires, RHEL and Fedora systems on devices that have not been updated will not boot securely.
The expiration of the Microsoft Secure Boot certificate expiration June 2026 does not mean Windows security is over. Instead, it is a test of how well the industry has maintained the hidden systems that support it. Computers that pass this test were built or updated so that users did not have to worry. Those that do not pass will have a hidden and growing vulnerability that antivirus scans, OS reinstalls, and future patches cannot fix unless action is taken before time runs out.
Source: Introducing a powerful new chapter for Windows PCs, accelerated by NVIDIA RTX Spark
