Secure Boot Certificate Expiration June 2026: What Microsoft Is Not Saying Loudly Enough
Microsoft has called this “one of the largest coordinated security maintenance efforts across the Windows ecosystem.” That is in a corporate blog post. In its consumer-facing communication, the language is more careful: PCs will continue to “operate normally,” they will “enter a degraded security state,” and most updates will install “automatically.” This page is about what is true in that communication, what is incomplete, and what to actually do.
The short version: starting June 27, 2026, the original Microsoft Secure Boot certificates issued in 2011 begin expiring. A second certificate expires in October 2026. Replacement 2023 certificates are being rolled out through Windows Update right now. Most PCs will receive them automatically. Some will not — because of OEM firmware that does not support the update, or because the device is running an unsupported version of Windows, or because the staged Windows Update rollout simply has not reached the device yet. PCs that miss the update will not be bricked. They will enter a state where Microsoft cannot ship them new boot-level security protections, and the gap between protected machines and unprotected machines compounds month by month after that.
There are roughly 1.4 billion Windows 10 and 11 devices in active use. The percentage of those that will not receive the 2023 certificates by June 27 is unknown, and Microsoft has declined to estimate. The Windows Latest reporting from late April 2026 indicates the rollout will “finish by the end of April 2026” — but the rollout finishing does not mean every device receives the update; it means the update is available to every device that can receive it.
What is actually expiring
Microsoft Secure Boot is a UEFI firmware feature that validates the cryptographic signatures of the bootloader and early-boot drivers against certificates stored in the firmware itself. If a bootloader is not signed by a certificate Secure Boot trusts, the PC refuses to load it. This is the protection that defeats rootkits and bootkits — malware that runs before Windows is loaded and is therefore invisible to traditional anti-virus.
The certificates being retired are:
| Certificate | Stored in | Expires | Role |
|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | KEK | June 2026 | Authorizes updates to the DB |
| Microsoft Corporation UEFI CA 2011 | DB | June 2026 | Signs third-party bootloaders, option ROMs |
| Microsoft Windows Production PCA 2011 | DB | October 2026 | Signs the Windows Boot Manager itself |
The replacement set, distributed since February 2026 via Windows Update, is:
- Microsoft Corporation KEK 2K CA 2023 (KEK)
- Microsoft UEFI CA 2023 (DB)
- Microsoft Option ROM UEFI CA 2023 (DB) — new, separate from the UEFI CA
- Windows UEFI CA 2023 (DB)
The split between Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 is the architectural change worth understanding. Under the 2011 certificates, a single CA signed both third-party bootloaders (Linux distributions, Shim, GRUB) and option ROMs (firmware on add-in cards like graphics adapters, network controllers, and storage HBAs). Under the 2023 certificates, those signing roles are split — a system can trust option ROMs without also trusting third-party bootloaders, and vice versa. For most consumer PCs this is irrelevant; for enterprise deployments running locked-down boot policies, it is a significant capability improvement.
What “degraded security state” actually means
The phrase Microsoft uses — “degraded security state” — is doing a lot of work. Here is what it means concretely:
A device that hits June 27, 2026 without the 2023 KEK certificate cannot apply any future updates to its Secure Boot databases. New certificates cannot be added. New revocations (entries in the DBX list that block known-malicious bootloaders) cannot be applied. Any future patch to Windows Boot Manager that requires a new signing chain — and Microsoft has been explicit that several are coming — will not install on the affected device.
For now, the device boots. Existing protections continue to work. Windows updates that don’t touch the boot chain install normally. But the trust anchor — the thing Secure Boot relies on to know what to trust — is frozen in time. Every new boot-level threat discovered after the expiration date is a threat the device cannot be hardened against.
The historical analogue is the BlackLotus UEFI bootkit, disclosed in 2023 and tracked as CVE-2023-24932. BlackLotus exploited a Secure Boot bypass that required Microsoft to update both the bootloader and the Secure Boot revocation list. The fix was rolled out gradually through 2023 and 2024. A device that had been frozen out of those updates would still be vulnerable today. The 2026 transition will produce the same dynamic on a much larger scale.
Whose machines are affected
The clearest way to answer this is by category:
PCs manufactured since 2024. Most ship from the factory with the 2023 certificates already in firmware. They are not affected by this transition. (Verify in the Windows Security app — see below.)
PCs purchased between 2018 and 2023, kept current with Windows Update. Most are receiving the 2023 certificates automatically through the staged Windows Update rollout. The rollout began in February 2026 and was expected to complete by end of April 2026. Many but not all PCs in this category have already updated.
PCs running Windows 10 22H2 with the Extended Security Updates (ESU) program. Eligible for the 2023 certificates via ESU. Receiving them through the same Windows Update flow as Windows 11.
PCs running Windows 10 without ESU. Not eligible. Microsoft is explicit: devices running unsupported versions of Windows do not receive Windows updates and will not receive the new certificates. There is no migration path that does not involve either upgrading to Windows 11 or enrolling in ESU.
PCs with OEM firmware that cannot apply the new certificates. This is the category that has surfaced in Windows Latest’s reporting from late April 2026. Some older systems — particularly those from manufacturers that have stopped issuing firmware updates — cannot apply the 2023 certificates because the firmware does not support the update sequence. These devices will display a red-icon “Requires action” status in the Windows Security app post-April-2026 update. Microsoft’s only recommendation is “contact your device manufacturer for assistance,” which in practice is a polite way of saying the device is end-of-life from a security perspective.
PCs that bypassed Secure Boot to install Windows 11. These exist in numbers Microsoft has been careful not to publicize. If you upgraded an older PC to Windows 11 by working around the Secure Boot or TPM requirement, your device may show a red alert stating Secure Boot is not enabled. The 2023 certificate update is not relevant to you because Secure Boot is not active. The honest answer is that you have a different and arguably worse problem.
How to check your PC right now
The April 2026 cumulative update (KB5083769 for Windows 11 24H2 and 25H2) added a Secure Boot certificate status badge to the Windows Security app. To check:
- Open Windows Security (Settings → Privacy & security → Windows Security, or search for “Windows Security” in the Start menu).
- Click Device security.
- Look for the Secure Boot section.
You will see one of four states:
| Badge | Meaning | What to do |
|---|---|---|
| Green check | Secure Boot is on, 2023 certificates applied | Nothing |
| Yellow caution | Update in progress or temporarily paused | Wait; install pending Windows Updates |
| Red stop icon | Update failed or device cannot receive certificates | Check OEM firmware updates first; contact manufacturer if none available |
| No badge / “Secure Boot not enabled” | Secure Boot is off (often after Win 11 bypass install) | Different problem; certificates are not the issue |
If the badge has not appeared yet on your device, the rollout to your machine simply has not landed. Microsoft confirmed to Windows Latest that KB5083769 staggers the badge feature across PCs even when the underlying update is the same.
For a more authoritative check, open PowerShell and run:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'True for both means you have the 2023 certificates installed at the firmware level. This is the ground-truth check; the Windows Security badge is reading the same information but with delays in reporting.
What administrators need to do
For unmanaged consumer PCs, the action is “do nothing — let Windows Update handle it, monitor the badge, contact the OEM if you get a red icon.” For managed environments, it is more involved.
Apply OEM firmware updates first. Microsoft is explicit that “in the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.” If your OEM has issued firmware updates in the past 12 months, deploy them before pushing the certificate updates. HP, Lenovo, Dell, and ASUS have all issued statements confirming they are coordinating with Microsoft on this rollout.
Set the deployment registry key. For domain-joined Windows 11 25H2, 24H2, and 23H2 machines, the relevant Group Policy is at Computer Configuration → Administrative Templates → Windows Components → Secure Boot → Enable Secure Boot certificate deployment. The corresponding registry key is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\MicrosoftUpdateManagedOptInSet the value to 0x5944 to deploy all needed certificates and update to the Windows UEFI CA 2023 signed boot manager. Microsoft clarified in a January 14, 2026 update that any non-zero value works for opting in; the specific 0x5944 value also enables the boot manager update.
Monitor the deployment. Microsoft has published aka.ms/GetSecureBoot as the primary landing page for resources, including PowerShell modules and command-line tools to query and apply Secure Boot configurations on local devices. For larger fleets, the Windows Configuration System (WinCS) APIs for Secure Boot provide programmatic access.
Do not disable Secure Boot to “work around” the issue. Disabling Secure Boot is not a substitute for updating the certificates; it removes the protection entirely. Several articles online have suggested this as a workaround for devices that fail to update. It is bad advice. The correct path for a non-updatable device is firmware update from the OEM (if available), or replacement.
What KB5036534 has to do with any of this
KB5036534, the May 2024 cumulative update, is the historical reference point for this transition. That update introduced the registry-based opt-in mechanism for Secure Boot certificate deployment as a preview — administrators could enable it on test devices to validate the update path before the broader rollout began. It is the build that proves Microsoft has been working on this rollout for two years; the timeline has been gradual and well-telegraphed.
The current state is that the staged rollout via standard Windows Update has been running since February 2026, and the Windows Security app badge for visibility was added in April 2026 (KB5083769). KB5036534 is no longer the relevant install — current monthly updates carry the certificate payload. If you read older guidance referencing KB5036534, the procedure is still correct in principle but the specific KB has been superseded.
When to stop
Two scenarios need explicit guidance because the search results for them are dangerous.
If your PC’s Windows Security shows a red Secure Boot icon and the message indicates the device cannot receive the 2023 certificates: do not download a “Secure Boot updater” from a third-party site. There are several search results that promise to update the certificates manually; none of them are trustworthy. The certificates are signed by Microsoft and can only be applied through the legitimate Windows Update or OEM firmware mechanisms. If the OEM has not issued firmware updates in the past two years for your model, the device is effectively end-of-life from a Secure Boot perspective. The correct response is replacement, not workaround.
If your PC fails to boot after a Secure Boot certificate update with an error like 0xc0000225 (boot configuration data missing or corrupted): boot to recovery media, run the standard boot repair commands (bootrec /fixboot, bootrec /rebuildbcd), and check OEM firmware. The certificate update itself does not corrupt the boot configuration, but a coincidental firmware update or BIOS reset can leave the device in a state where the new boot manager cannot be validated. The fix is to ensure both the new KEK and the new DB certificates are present; see our boot recovery guide for the full procedure.
The pattern
This rollout is being executed competently. Microsoft has telegraphed it for two years, OEMs have been pulled into a coordinated communication effort, the Windows Security app now surfaces the status to consumers, and the technical update path is working for the vast majority of PCs that receive it. That is genuinely worth acknowledging.
The risk is not the rollout. The risk is the long tail — the millions of PCs running unsupported Windows versions, the older hardware where OEM firmware updates have stopped, the devices managed by IT teams that disabled the registry opt-in. Those PCs will not get bricked. They will quietly fall out of the protection envelope, and the gap will compound. By 2027, “Secure Boot certificates” will be the answer to a category of weird boot-level malware infections that target the systems that missed this window.
The single most useful thing you can do, today, is open the Windows Security app, check the badge, and take action if it is not green. That is a 90-second task. The cost of skipping it does not become visible until much later.
Related articles
- Recovery error 0xc0000225 boot repair — when boot fails after a certificate or firmware update
- How to run DISM and SFC safely — system file repair without making things worse
- Patch Tuesday Tracker — KB5083769 and the April 2026 update where Secure Boot status was added
FAQ
Will my PC stop working on June 27, 2026? No. PCs that have not received the 2023 certificates will continue to boot and run normally. Standard Windows updates will continue to install. What stops is the ability to receive new boot-level security protections. The risk compounds over time but is not immediate.
How do I know if my PC has received the 2023 certificates? Open Windows Security → Device security → Secure Boot. A green check badge means the certificates are applied. The badge feature was added in the April 2026 update (KB5083769) and may still be rolling out to some PCs.
What if my PC is too old to receive the update? Check for OEM firmware updates first. If the manufacturer has not issued firmware updates for your model in the past two years, the device may not be able to receive the new certificates regardless of Windows Update status. Microsoft’s recommendation is to contact the manufacturer; in practice, this often means the device is end-of-life from a Secure Boot perspective.
Is this related to the BlackLotus vulnerability? The 2023 certificates were created in part as a response to BlackLotus and the broader category of UEFI bootkit threats. Updating to the 2023 certificates is the underlying mitigation that allows Microsoft to ship new boot-chain protections; it is also the mechanism that makes future BlackLotus-class fixes possible.
Can I disable Secure Boot to avoid the issue? You can, but you should not. Disabling Secure Boot removes the protection entirely; it does not “work around” the certificate expiration in any meaningful sense. The correct path is updating the certificates, not bypassing the feature.
Does this affect Windows 10? Yes, but only Windows 10 version 22H2 with active Extended Security Updates (ESU) enrollment. Windows 10 PCs without ESU do not receive the new certificates and have no migration path other than upgrading to Windows 11 or enrolling in ESU.
What about Linux dual-boot? The certificate split between Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 affects how third-party bootloaders (Shim, GRUB) are signed and trusted. Most major Linux distributions have updated their Shim binaries to be signed under the 2023 CA. If you dual-boot Linux, verify your distribution’s Shim is current; older Shim binaries may not be trusted under the new certificate chain.
Official references
- Windows Secure Boot certificate expiration and CA updates — Microsoft Support
- Act now: Secure Boot certificates expire in June 2026 — Windows IT Pro Blog
- Secure Boot playbook for certificates expiring in 2026 — Windows IT Pro Blog
- aka.ms/GetSecureBoot — Microsoft’s primary landing page
Last updated: April 28, 2026.