Prepare for an impact: Microsoft warns of secure boot certificate update
"Prepare for the first global, large-scale secure boot certificate update," warns Microsoft. Not only Windows is affected.
(Image: heise online / dmk, Tux von Larry Ewing/GIMP)
Microsoft's first Secure Boot certificates will expire in June 2026. In order for systems with Secure Boot to remain bootable, they must receive updated certificates by then. “Prepare for the first global, large-scale Secure Boot certificate update,” Microsoft now warns. This not only affects Windows systems, but also those with other operating systems, such as Linux or macOS.
In a blog post, Microsoft discusses the consequences of the certificate expiry and provides information on how admins can help themselves under Windows. In summary, Microsoft opens: “The Microsoft certificates used in Secure Boot are the basis of trust for the security of the operating system, and all expire from June 2026. To receive automatic and timely updates for new certificates for supported Windows systems, you must let Microsoft manage your Windows updates, which includes Secure Boot.” It is therefore also important for Microsoft to work closely with Original Equipment Manufacturers (OEMs) to distribute Secure Boot firmware updates.
Corporate customers in particular should prepare themselves
Microsoft advises those who have not yet made options for the distribution and corresponding distribution of the updated certificates to start now. Secure Boot is intended to prevent malware from starting early in the boot process of computers. It is linked to the UEFI firmware signing process. Secure Boot relies on cryptographic keys known as Certificate Authorities (CA) to verify that firmware modules come from trusted sources. In June 2026, the Secure Boot certificates – that are part of the Windows system – will begin to expire after 15 years. Windows devices will therefore need new certificates to continue to function and be protected, Microsoft explains.
Affected are physical and virtual machines with supported versions of Windows 10, Windows 11 and Windows Server 2025, 2022, 2019, 2016, 2012 and 2012 R2, i.e., all systems released since 2012, including the Long-Term Servicing Channels (LTSC). Newer Copilot+ PCs released since 2025 already have newer certificates.
Videos by heise
The affected systems also include macOS – but this is outside the Microsoft support area. For dual-boot systems with Linux and Windows, the Windows operating system should update the certificates that Linux relies on.
Microsoft lists that the certificate “Microsoft Corporation KEK CA 2011” will expire in June 2026 and will be replaced by “Microsoft Corporation KEK 2K CA 2023”; it is used to sign DB (database of allowed signatures) and DBX (database of forbidden signatures).
In addition, “Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)” will reach the end of its life next June, for which Microsoft will then provide “Microsoft Corporation UEFI CA 2023” or “Microsoft Option ROM UEFI CA 2023” for replacement. The first certificate signs third-party operating systems and hardware driver components, while the last certificate signs third-party option ROMs. Finally, the “Microsoft Windows Production PCA 2011” certificate expires in October 2026 and will be replaced by “Windows UEFI CA 2023”; it signs the Windows bootloader and boot components.
Consequences of the expiring certificates
The CAs ensure the integrity of the boot sequence, Microsoft explains further. If these CAs expire, systems will no longer receive security fixes for the Windows Boot Manager and Secure Boot components. “Compromised boot security threatens the overall security of affected Windows devices, especially through bootkit malware. Such malware is difficult or impossible to detect by antivirus software. As an example, even today the unsecured boot process can serve as an attack vector for the Blacklotus bootkit (CVE-2023-24352),” the developers explain.
“Every Windows system with Secure Boot enabled uses the same three certificates to support third-party hardware and the Windows ecosystem,” Microsoft continues. Unless physical devices and VMs are prepared, they will lose the ability to install Secure Boot security updates and trust third-party software signed with new certificates after June 2026, as well as receive security updates for Windows Boot Manager from October 2026. To prevent this, IT managers must update the entire Windows ecosystem with certificates dated 2023 or later.
Update before the update
Microsoft is keen to emphasize that those affected should first look for the latest firmware from their OEM provider – i.e., from the computer or motherboard manufacturer – and apply this before applying new certificates to their Windows systems. In the secure boot process, the firmware updates from the OEMs are a prerequisite for correctly applied Windows Secure Boot updates. Microsoft only supports systems that are still in the support cycle – after October 2025, Windows 10 users should therefore consider obtaining Extended Security Updates (ESU).
Microsoft does not provide an exact timeline, but explains that “we expect to update Secure Boot Certificates as part of our latest cumulative updates”. Leaving the management of Windows updates, including secure boot updates, to Microsoft would therefore be the least effort. Finally, in the blog post, Microsoft discusses how corporate customers can proceed with different solutions for managing Windows updates.
Last year, Microsoft blocked numerous bootloaders with a DBX update in the August update. This affected many Linux distributions, which then no longer started. It is to be hoped that, with a year's lead time, a similar scenario will not occur again.
(dmk)
