Prepare for the first global large-scale certificate update to Secure Boot.
The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.
If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.
Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Recap: Why Secure Boot requires updating
Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.
After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
- Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
- Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.
The change: Expiring certificates
Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.
See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.
|
Expiration date |
Expiring certificate |
Updated certificate |
What it does |
Storing location |
|
June 2026 |
Microsoft Corporation KEK CA 2011 |
Microsoft Corporation KEK 2K CA 2023 |
Signs updates to DB and DBX |
KEK |
|
June 2026 |
Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)* |
a) Microsoft Corporation UEFI CA 2023 b) Microsoft Option ROM UEFI CA 2023
|
a) Signs third-party OS and hardware driver components b) Signs third-party option ROMs
|
DB |
|
Oct 2026 |
Microsoft Windows Production PCA 2011 |
Windows UEFI CA 2023 |
Signs the Windows bootloader and boot components |
DB |
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.
Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.
The impact and implications
The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).
Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
- Lose the ability to install Secure Boot security updates after June 2026.
- Not trust third-party software signed with new certificates after June 2026.
- Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.
Take action today
To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!
Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.
In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.
The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.
Enterprise IT-managed systems that send diagnostic data
No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.
Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!
Enterprise IT-managed systems that don't send diagnostic data
Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
- Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
- Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
o Key name: MicrosoftUpdateManagedOptIn
o Type: DWORD
o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.
If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.
Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
- Recommend known steps or methods for deploying these updates
- Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.
Systems with Secure Boot disabled
Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.
Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Share these recommendations with individual users:
- Press Windows key + R, type msinfo32, and then press Enter.
- In the System Informationwindow, look for Secure Boot State.
- If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.
Change management considerations
Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.
Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.
Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.
Bookmark these additional resources:
- Secure Boot certificate rollout landing page
- Windows devices for businesses and organizations with IT-managed updates
- Windows devices for home users, businesses, and schools with Microsoft-managed updates
- Windows 11 and Secure Boot
- Secure Boot
- Updating Secure Boot keys
- Enterprise deployment guidance for CVE-2023-24932
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft
