Microsoft's 2011 Secure Boot certificates expire in June 2026, potentially leaving millions of PCs unable to receive future bootloader security updates unless firmware is updated to support new 2023 certificates.
Microsoft has begun rolling out replacement Secure Boot certificates that Windows will need once the original 2011 certificates begin expiring in June 2026. The transition is already showing up in recent cumulative updates, but the next phase is less about Windows and more about firmware readiness. If your PC's UEFI firmware is not prepared to accept and retain the new 2023 certificates, Windows Update can attempt the handover and still leave the device stuck in what Microsoft describes as a degraded security state, where future boot-related security updates may not apply cleanly.
What's Actually Expiring, and When?
Microsoft's long-running Secure Boot trust anchors from 2011 start expiring in late June 2026, with additional expirations later in 2026. Dell's breakdown is one of the clearest public timelines, listing the first 2011 certificate expiration date as June 24, 2026 (Microsoft Corporation KEK CA 2011), followed by June 27, 2026 (Microsoft Corporation UEFI CA 2011), and another key certificate expiring on October 19, 2026 (Microsoft Windows Production PCA 2011).
Practically, multiple vendors echo the same bottom line: systems are expected to keep booting, but devices that do not transition to the 2023-era certificate chain can lose the ability to receive future bootloader and Secure Boot updates, which is where the "degraded security" wording comes from.
Microsoft's Part: Windows Can Deliver the New Trust Chain, But Only If Firmware Cooperates
The key technical enabler is already in supported Windows builds. Microsoft's KB5036210 notes that Windows updates released on and after February 13, 2024 include the ability to apply the Windows UEFI CA 2023 certificate to the UEFI Secure Boot Allowed Signature Database (db), and that updating the db is needed to receive future boot loader updates through monthly updates.
Microsoft also says that "most personal Windows devices" should receive the new certificates automatically through Microsoft-managed updates, but explicitly warns that some devices may require an OEM firmware update to apply the new certificates correctly.
Where OEMs Come In: Active Keys vs Default Keys, and Why Resets Can Bite You
This is where vendor firmware policy matters more than most home users realize. Dell's Secure Boot Transition FAQ distinguishes between the Active Secure Boot database (what the system actually enforces at boot, and what Windows Update commonly modifies) and the Default Secure Boot database (the factory reset set, typically updated via BIOS flashing).
Dell also warns that certain firmware actions, such as toggling "Expert Key Mode," can erase Active variables that came from Windows Update if the Default database has not been updated appropriately. That same Dell document also describes a "dual certificate strategy," saying Dell began shipping both 2011 and 2023 certificates on newly launched platforms in late 2024 and expanded that approach across sustaining platforms shipping from factories by the end of 2025.
Lenovo's own guidance for commercial PCs similarly frames the fix as a BIOS update that adds the 2023 certificates into the default Secure Boot variables, with additional steps sometimes needed to activate the 2023 variables on systems that are not already pre-configured. It also flags BitLocker recovery as a potential side effect, which is why backing up recovery keys before firmware changes remains good practice.
HP's advisory likewise says it has been working with Microsoft to prepare Secure Boot-enabled HP products for the new certificates and warns that certificate expiration can prevent systems from receiving Secure Boot and Windows Boot Manager-related security updates, increasing exposure to bootkit-style threats.
The DIY and Gaming Motherboard Problem: Sometimes You Must "Install Default Keys" Yourself
ASUS is one of the few consumer-facing vendors that has published a highly procedural, step-by-step guide for this transition, including how to confirm the new 2023 entries are present in firmware and what to do if they are not. In its support FAQ, ASUS describes navigating through UEFI Secure Boot key management and verifying that KEK includes "Microsoft Corporation KEK 2K CA 2023," and that the db includes "Windows UEFI CA 2023" (alongside other 2023-era Microsoft entries).
It also documents remediation steps such as "Install Default Secure Boot Keys" or "Restore Factory Keys" after updating the BIOS, which effectively repopulates the key databases from the firmware's default store. This is the gap that tends to hit DIY systems hardest: Windows can deliver updates, but motherboard firmware can still require manual intervention before the new keys are fully present and active.
How to Check Readiness Using Microsoft's Official Signals
For IT-managed fleets, Microsoft's Secure Boot playbook outlines concrete indicators you can monitor. Microsoft says a successful deployment can be confirmed by auditing Windows System Event Log entries for Event ID 1808, and that failures to apply updated certificates are associated with Event ID 1801.
The same playbook also references the UEFICA2023Status registry key, which should ultimately read "Updated," and notes that a UEFICA2023Error key should not exist unless an error is pending. The playbook also explicitly recommends applying OEM firmware updates before Secure Boot-related Windows updates if your organization has identified issues or your OEM recommends a BIOS update, which reinforces the overall theme: the Windows side is only half the story.
The Windows 10 "Zombie" Edge Case Is Still Real
Finally, the certificate refresh is another pressure point for Windows 10 holdouts. Microsoft's own support documentation states Windows 10 support ended on October 14, 2025, and Microsoft positions Windows 10 Extended Security Updates (ESU) as the paid path for continuing to receive security updates after that date.
Microsoft's Secure Boot guidance also reiterates that devices on unsupported Windows versions do not receive Windows updates, which is why the Secure Boot handover is effectively tied to staying on a supported servicing path (or ESU for Windows 10, where applicable).
What This Means for Your PC
The Secure Boot certificate transition represents one of the more complex infrastructure changes Microsoft has undertaken in recent years. Unlike typical Windows updates that Microsoft controls entirely, this transition requires coordination between Microsoft, PC manufacturers, and in some cases, individual users.
For most modern PCs purchased in the last two years, the transition should happen automatically through Windows Update combined with firmware that already includes the 2023 certificates. However, systems from 2022 or earlier, particularly those from smaller manufacturers or DIY builds, may require manual intervention.
The degraded security state Microsoft warns about isn't catastrophic—your PC will likely continue booting—but it does mean you'll miss out on future bootloader security updates that could protect against emerging threats like bootkits and rootkits. Given that these attacks target the very foundation of your system's security, staying current with Secure Boot updates remains important for maintaining a secure computing environment.
The June 2026 deadline provides some breathing room, but the complexity of the transition suggests that users should start checking their system's readiness now rather than waiting until the last minute. Whether you're managing a fleet of enterprise PCs or just want to ensure your personal system stays secure, understanding this transition and taking appropriate action before the certificates expire will help avoid potential security gaps in the future.
Comments
Please log in or register to join the discussion