Microsoft is urging Windows users and IT teams to make sure their devices receive updated Secure Boot certificates before the first set of legacy certificates begins expiring in June 2026. The original Microsoft certificates were issued in 2011 and are reaching the end of their planned lifecycle. For this reason, newer 2023 certificates are being rolled out through Windows Update and related firmware channels.
Secure Boot is part of the UEFI startup process and helps verify that only trusted software loads during boot. Microsoft’s support guidance reflects devices that still rely on the older certificates that will continue to start and run normally, and standard Windows updates will still install.
But they will no longer receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and fixes for newly discovered boot-level vulnerabilities.
What Exactly is Changing?
Microsoft’s support page, published in June 2025, lists the first major expiry as Microsoft Corporation KEK CA 2011 on June 24, 2026, followed by Microsoft UEFI CA 2011 on June 27, 2026. Apart from that, Microsoft Windows Production PCA 2011 is expiring on October 19, 2026.
The firm further states that users need the corresponding 2023 certificates in the KEK and DB stores to keep receiving the full set of Secure Boot protections.
Why does Secure Boot Require Updating?
Secure Boot needs updating because the certificates that authorize trusted boot components are reaching the end of their lifecycle. As per Microsoft, Secure Boot is part of the Windows device’s startup trust chain. It checks digitally signed software before Windows loads. However, Microsoft is now moving Windows devices to newer 2023 certificates as the older 2011 certificates begin expiring.
A device may still start normally without the update. But it can gradually lose protection against future boot-level threats because of new security fixes and revocation updates. Alongside that, related Secure Boot protections may no longer be delivered for the earliest part of the boot process. Microsoft highlights that the update is tied to UEFI firmware behavior, so keeping certificates current helps preserve the root of trust at startup.
Who Needs to Update Their Secure Boot Certificates?
Microsoft has specifically asked Windows 11 users to update their Secure Boot certificates before June 2026. The tech giant says the process should happen automatically through Windows Update for most Windows 11 users. The Windows Security app now shows whether a device has received the certificate updates, its current status, and whether any action is needed. Additionally, the firm states that many devices manufactured since 2024 already include newer certificates.
Microsoft warns that some systems may still need manual attention, especially managed enterprise devices, older hardware, or specialized setups such as servers and IoT devices. In those cases, firmware updates from OEMs may be required.
The main risk is not an immediate boot failure. Instead, devices that miss the certificate transition could enter a degraded security state over time. This could leave devices less protected against future boot-level threats and potentially affect scenarios such as BitLocker hardening or third-party bootloaders.
SecureITWorld is a leading publisher of emerging technologies across industries. Follow our latest news headlines to stay informed in the tech-first era.
Also Read:
