Zoonop

Millions of Windows Devices to Receive Critical Secure Boot Certificate Updates Ahead of June 2026 Expiry

Image for Millions of Windows Devices to Receive Critical Secure Boot Certificate Updates Ahead of June 2026 Expiry

Microsoft has announced that Secure Boot certificates embedded in Windows systems will begin to expire in June 2026, necessitating crucial updates for millions of devices to maintain security and operational continuity. The company plans to distribute these new certificates through its regular cumulative update cycles over the coming months. This proactive measure aims to safeguard Windows devices against sophisticated boot-level threats and ensure the integrity of the operating system's startup process.

Secure Boot is a fundamental security feature within Unified Extensible Firmware Interface (UEFI) firmware, designed to ensure that only trusted software loads during a device's boot sequence. It relies on a hierarchy of cryptographic certificates to verify the authenticity of pre-boot components, including boot loaders and drivers. These certificates, some dating back to 2011, are now nearing the end of their 15-year lifespan.

Specifically, the "Microsoft Corporation KEK CA 2011" and "Microsoft Corporation UEFI CA 2011" certificates are set to expire in June 2026, followed by the "Microsoft Windows Production PCA 2011" in October 2026. Failure to update these certificates would prevent affected Windows devices from receiving vital security fixes for boot components and render them vulnerable to bootkit malware, such as BlackLotus, which can compromise systems before the operating system fully loads. Un-updated systems would also lose the ability to trust new software signed with the post-2023 certificates.

According to a tweet from Orin Thomas, a Principal Program Manager at Microsoft, "Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection. Microsoft will update the Secure Boot certificates as part of cumulative update cycles in coming months." This impacts a wide range of devices, including physical and virtual machines running supported versions of Windows 10, Windows 11, and Windows Server from 2012 onwards. Newer Copilot+ PCs released in 2025 are not affected.

For most users and organizations, Microsoft will automatically deliver the updated 2023 certificates via Windows Update. However, IT professionals managing enterprise environments, especially those with air-gapped systems or strict diagnostic data policies, will need to take specific actions, such as enabling diagnostic data or performing manual updates, to ensure their entire fleet is protected. Microsoft emphasizes the importance of applying the latest OEM firmware updates as a foundational step before installing the new certificates. This widespread update initiative underscores Microsoft's commitment to enhancing the security posture of its ecosystem against evolving cyber threats.