June 2026: Secure Boot Certificates are expiring – Help is on the way

Blog » June 2026: Secure Boot Certificates are expiring – Help is on the way

June 2026: Secure Boot Certificates are expiring – Help is on the way

Introduction

Now we are in 2026, it’s easy to forget that some of the most important security features on modern Windows devices have been quietly protecting us for well over a decade. Secure Boot is one of those technologies. Introduced alongside Windows 8 nearly 15 years ago (yes, that´s right!). Secure Boot fundamentally changed how PCs defend themselves during startup – closing the door on an entire class of pre-boot attacks that were becoming increasingly common at the time…

Today, Secure Boot is no longer a “nice to have.” It’s a baseline security control that every modern Windows laptop or desktop should be using – whether the device is managed manually, through SCCM, or via Intune. Despite its maturity, Secure Boot is still often misunderstood, disabled for convenience, or treated as a one-time checkbox rather than an ongoing trust mechanism built into the platform.

This post revisits Secure Boot: what it is, why it still matters in 2026, and how it fits into the broader Windows security and device management story.

So what is Secure Boot?

Secure Boot is a critical security feature built into modern PCs using UEFI (Unified Extensible Firmware Interface) firmware. Its primary purpose is to ensure that only trusted, digitally signed software can run during your device’s boot sequence. This is achieved by validating the digital signature of each piece of boot software against a set of trusted digital keys stored in the UEFI firmware.

As an industry standard, Secure Boot outlines protocols for managing certificates, authenticating firmware, and establishing the interface between the operating system (OS) and the verification process. Trust and authenticity within Secure Boot rely on a Public-Key Infrastructure (PKI) model, where Certificate Authorities (CAs) such as Microsoft and Original Equipment Manufacturers (OEMs) issue and manage the digital certificates that form the foundation of system trust.

Threats Secure Boot helps prevent

Secure Boot is designed to mitigate several types of attacks that target the boot process, including:

Bootkits and Rootkits: Malware that attempts to compromise the bootloader or kernel during startup.
Firmware Attacks: Attempts to tamper with or replace UEFI firmware.
Code Injection: Unauthorized code injected into the boot process.
Unauthorized Kernel Modules: Loading of unsigned or tampered kernel modules.
Exploitation of Boot-Time Vulnerabilities: Attacks that target vulnerabilities in the boot sequence itself.

By verifying the integrity and authenticity of each stage in the boot process, Secure Boot helps prevent these threats from compromising your system before the operating system even loads.

How Secure Boot works

Secure Boot was first introduced with Windows 8 as a defense against the emerging threat of pre-boot malware, coined as Bootkits. It is now a core part of Microsoft’s Trusted Boot security architecture. During platform initialization, Secure Boot authenticates various modules – including UEFI firmware drivers, bootloaders, applications, and option ROMs – by checking their digital signatures.

In the final step of the Secure Boot process, the firmware verifies the trustworthiness of the Windows boot loader. Once authenticated, control is passed to the boot loader, which then verifies, loads, and launches Windows. This multi-layered process ensures that only verified code is executed before Windows starts, effectively preventing attackers from exploiting the boot path as an attack vector.

Note: While Secure Boot is highly effective at mitigating boot-time threats, no security measure is entirely fool-proof. Keeping your system updated and following best security practices remain an essential task for any and all Windows devices.

Why are Secure boot Certificates expiring?

When Secure Boot was introduced with Windows 8, Microsoft and OEMs provisioned devices with a set of certificates (CAs) that define what code is trusted at boot. These certificates are stored in your device’s firmware and are used to validate updates and boot components.

However, the original Microsoft Secure Boot certificates from 2011 are expiring in 2026 (valid for 15 years). If your device still relies on these certificates, it will no longer be able to receive Secure Boot updates or security fixes for pre-boot components after expiration. This could leave your device vulnerable to new threats.

What’s changing?

Microsoft has issued new Secure Boot certificates (2023 versions) to replace the expiring 2011 certificates. These new certificates ensure your device continues to receive updates and remains protected. The update process involves adding the new certificates to your device’s firmware databases (KEK and DB).

Expiring Certificate	Expiration	New Certificate	Purpose
Microsoft Corporation KEK CA 2011	June 2026	Microsoft Corporation KEK CA 2023	Signs updates to DB and DBX
Microsoft Windows Production PCA 2011	Oct 2026	Windows UEFI CA 2023	Signs the Windows boot loader
Microsoft UEFI CA 2011	June 2026	Microsoft UEFI CA 2023	Signs third-party boot loaders and EFI apps
Microsoft UEFI CA 2011	June 2026	Microsoft Option ROM CA 2023	Signs third-party option ROMs

Note: After the 2011 CAs expire, devices without the new 2023 certificates will not receive Secure Boot security updates.

How to update Secure Boot certificates

Microsoft is updating certificates automatically on many devices, but some organizations and advanced users may need to update them manually – especially if you manage your own Secure Boot keys or have custom firmware policies.

To make this easier, we’re building a small solution – currently in development. Keep an eye out for its release!

Windows January 2026 updates

In the recent Updates in January 2026 (quality updates), Microsoft is starting to auto update if a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment.

Read it here: January 13, 2026—KB5074109 (OS Builds 26200.7623 and 26100.7623) – Microsoft Support

Stay Protected

Keeping your Secure Boot certificates up to date is essential for maintaining the security of your Windows devices. Use the provided script to ensure your system is ready for the future and protected against evolving threats.

Important: Always back up your system and review your organization’s Secure Boot policy before making changes to firmware certificates.

For more details, see the upcoming documentation/solution or Microsoft’s official guidance on Secure Boot.

Troubleshooting

For troubleshooting in the case of errors while applying DB update manual, please see KB5016061: Secure Boot DB and DBX variable update events – Microsoft Support for most updated guidelines.

Conclusion

15 years after its introduction, Secure Boot remains a foundational component of Windows platform security. What began as a response to early bootkit threats has evolved into a trusted, industry-standard mechanism that protects devices at their most vulnerable stage – before the operating system even loads!

In 2026, Secure Boot should be considered a default expectation rather than an optional feature. Whether devices are managed through SCCM, Intune, or a hybrid approach, you need to ensure Secure Boot is enabled and properly configured – this helps maintain platform integrity, supports modern security features, and reduces exposure to low-level attacks that are otherwise difficult to detect or remediate.

Secure Boot may operate quietly in the background, but its role in establishing trust at startup is as relevant today as it was when it first shipped – and it remains a critical part of a secure Windows deployment!