Microsoft's Secure Boot Certificate Refresh: What You Need to Know About the June 2026 Deadline
Microsoft is rolling out a Secure Boot certificate refresh ahead of the June 2026 expiration of three 2011-dated certificates, warning that devices that don't transition may lose future boot-level security protections.
Microsoft is rolling out a Secure Boot certificate refresh across supported Windows devices through Windows Update, ahead of the June 2026 expiration of three key certificates that have been in use since 2011. The certificates—Microsoft Corporation KEK CA 2011 (expires June 24), Microsoft UEFI CA 2011 (expires June 27), and Microsoft Windows Production PCA 2011 (expires October 19)—are being replaced with new 2023-dated certificates valid until 2038. While PCs will continue to boot after expiration, devices that do not transition will lose the ability to receive future boot-level security protections, including updates to Windows Boot Manager, Secure Boot databases, and mitigations for bootkits like BlackLotus.
Secure Boot is a UEFI firmware feature that verifies the boot loader and early boot components are signed by a trusted party before Windows loads. The current certificates were issued in 2011 and are now reaching their end of life. Microsoft is replacing them with a 2023-dated set, including Windows UEFI CA 2023 and Microsoft Corporation KEK 2K CA 2023. According to Microsoft engineers, the new certificates are valid until 2038, with a separate post-quantum cryptography transition planned for around 2030.
The most important takeaway for users: your computer will not stop working after the deadline. If the deadline arrives and your PC is still running on the 2011 certificates, Windows will still boot, Windows Update will still work, and your PC will continue functioning normally. However, Microsoft warns that the device "will no longer be able to receive new security protections" for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities. This means your PC becomes harder to protect over time against emerging boot threats.
The BlackLotus bootkit serves as a concrete example of why boot-level security matters. BlackLotus is a UEFI bootkit that emerged in 2022 and exploited CVE-2022-21894 ("Baton Drop") to bypass Secure Boot on fully patched Windows systems. Once installed, it could disable BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender before Windows fully loaded. Microsoft addressed the underlying flaw in CVE-2023-24932, but fixing vulnerable boot managers safely is complicated. The 2026 certificate rollover enables Microsoft to continue rolling out newer 2023-signed boot components and safely revoke vulnerable ones as new threats emerge.
Microsoft is using a staged rollout designed to avoid breaking systems. A scheduled Windows task runs roughly every 12 hours and applies the update in stages: adding the new Windows UEFI CA 2023 to the firmware's signature database, adding the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 alongside the old certificate if present, adding the new Microsoft Corporation KEK 2K CA 2023 key, and updating the Windows Boot Manager to one signed by the new certificate. The full process takes roughly 48 hours and one or more restarts to complete. For most home users, this happens silently through normal cumulative updates.
Potential trouble spots include older PCs with outdated firmware that may require a BIOS or firmware update from the manufacturer, PCs that bypassed Windows 11 requirements by disabling Secure Boot, and legacy BIOS/CSM systems. Microsoft recommends users ensure their systems are updated to maintain ongoing boot-chain security. Starting with the April 2026 Windows update, the Windows Security app includes updated Secure Boot status information under Device security that shows whether the new certificates have been applied successfully.