Secure Boot certificate rollover may affect older Windows PCs

Microsoft is rolling new Secure Boot certificates to supported Windows devices as the 2011-era certificates begin expiring in June 2026. Machines that do not receive the update will continue to boot but may not receive future protections for the early boot process. Three 2011 certificates have set expiration dates: Microsoft Corporation KEK CA 2011 on June 24, Microsoft UEFI CA 2011 on June 27, and Microsoft Windows Production PCA 2011 on October 19, 2026. Microsoft is adding a 2023-dated certificate set to replace them.

Secure Boot is a UEFI firmware feature that runs before Windows loads and verifies that the boot loader and early boot components are signed by trusted keys in the motherboard firmware. The new certificates are intended to update the trust chain built into firmware so Microsoft can continue to provide signed boot components and revoke vulnerable ones when needed. Microsoft engineers noted the 2023 certificates are valid until 2038 and that a separate post-quantum cryptography transition is planned for future hardware around 2030.

Microsoft warns that an affected device “will no longer be able to receive new security protections” for the early boot process if it remains on the 2011 certificates. Those protections include updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities. Boot-level malware, such as UEFI bootkits, runs before the operating system and can disable defenses like BitLocker and other integrity protections. BlackLotus, a UEFI bootkit identified in 2022 and confirmed in the wild in 2023, exploited an earlier vulnerability to bypass Secure Boot and prompted Microsoft fixes tied to later CVEs.

The certificate rollout is staged and delivered through Windows Update. A scheduled Windows task runs roughly every 12 hours and applies the update in phases: the new Windows UEFI CA 2023 is added to the firmware signature database; Microsoft adds UEFI and Option ROM 2023 certificates alongside any remaining 2011 third-party entries; the Microsoft Corporation KEK 2K CA 2023 key is added; and Windows Boot Manager is replaced with a version signed by the new certificate. The boot manager update is applied at the next natural restart. Microsoft estimates the full sequence takes about 48 hours and one or more reboots, and each step must complete before the next begins. The Windows Security app began reporting expanded Secure Boot status under Device security with the April 2026 update.

Some systems may not complete the transition automatically. Known trouble spots include older PCs with UEFI firmware that do not accept the new certificates, systems where Secure Boot was disabled to bypass Windows 11 requirements, machines running legacy BIOS or UEFI with Compatibility Support Module enabled, and unusual firmware configurations that can trigger a BitLocker recovery prompt after Secure Boot variables change. Microsoft notes BitLocker itself is not being disabled and recommends having recovery keys available if prompted.

For home users, Microsoft recommends keeping Windows fully updated, checking Secure Boot status at Windows Security > Device security > Secure Boot, and installing firmware updates from the PC maker when available. The May 2026 cumulative update (KB5089549) creates a C:\Windows\SecureBoot folder that contains example PowerShell scripts for administrators; that folder is expected and not malware. IT teams should inventory device manufacturer, model, BIOS version and Secure Boot status, use Microsoft’s PowerShell sample script to check registry keys and event IDs, and monitor Event ID 1808 for devices with the new certificates and Event ID 1801 for devices that have not completed the update. Recommended testing includes multiple devices per manufacturer/model/firmware combination, and administrators should plan for impacts to PXE imaging and Hyper-V where boot images or host firmware templates may require updates.

No immediate failures are expected on the June expiration dates. For most users the update will be automatic through Windows Update. Devices that do not transition will continue to operate but may not receive later boot-level protections as Microsoft responds to future vulnerabilities.