Microsoft Secure Boot Certificate Refresh Ahead of 2011 Certificate Expiration
Microsoft has started deploying updated Secure Boot certificates via regular monthly Windows updates to replace the original 2011-era certificates that begin expiring in late June 2026. Secure Boot, introduced in 2011 for UEFI-based systems, helps prevent pre-OS malware (e.g., bootkits/rootkits) by allowing only trusted, properly signed boot components to load, using a certificate chain anchored in UEFI firmware and validated against trusted signature databases.
The expiring components include Microsoft-issued certificates used in the Secure Boot trust chain (including the Key Exchange Key (KEK) and Microsoft UEFI CA/Production CA certificates), which are present on most PCs built since 2011 and also affect many Linux distributions that rely on Microsoft’s UEFI signing ecosystem. Microsoft says the refresh will be automatic for in-support Windows devices where updates are Microsoft-managed, while organizations can also control deployment through their own management tooling; the effort is positioned as a large-scale ecosystem maintenance activity involving coordination across many OEM firmware configurations.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Dell publishes BIOS guidance to update Secure Boot active database
Dell published a support advisory explaining how customers can update the Secure Boot active database directly from BIOS. The guidance provides Dell-specific remediation steps as part of the industry transition to the newer Secure Boot certificates ahead of the June 2026 expiration of the legacy 2011 chain.
Microsoft explains new Windows SecureBoot folder after May update
Microsoft confirmed that the C:\Windows\SecureBoot folder created by the May 2026 Windows 11 update is expected behavior tied to the Secure Boot certificate transition, not a bug. The company said the folder contains example PowerShell scripts mainly for IT administrators and noted some devices may still miss the new certificates if their firmware is outdated.
Microsoft releases May Windows 11 update KB5089549 with Secure Boot protections
On 2026-05-12, Microsoft released the mandatory Windows 11 24H2/25H2 Patch Tuesday update KB5089549. The update continued preparations for the June 2026 Secure Boot certificate expiration and also tightened driver trust by removing default trust for cross-signed drivers.
Microsoft says April Secure Boot rollout may trigger multiple Windows 11 restarts
Microsoft said some Windows 11 systems may restart more than once while April 2026 updates install Secure Boot 2023 certificates, describing the behavior as an expected one-time part of the update process. The company indicated the certificate rollout expanded with the April 2026 updates, including the optional update released on April 30.
Microsoft publishes Surface Secure Boot certificate guidance
Microsoft published a support article for Surface devices explaining the Secure Boot certificate transition and related update requirements. The guidance indicates Surface-specific documentation and support steps were made available ahead of the June 2026 expiration of the legacy 2011 certificates.
Microsoft warns April out-of-band update may trigger BitLocker recovery
On 2026-04-19, Microsoft disclosed that a limited subset of mainly IT-managed devices could prompt for a BitLocker recovery key on first restart after installing out-of-band update KB5091157 during the Secure Boot 2023 transition. Microsoft said the issue affects systems with specific PCR7 and BitLocker configurations, recommended removing the explicit PCR7 Group Policy or applying a Known Issue Rollback, and said a permanent fix would come in a future update.
April Patch Tuesday delivers Secure Boot status indicator in Windows
Microsoft's April 2026 Patch Tuesday updates for Windows 10 and Windows 11 added a visual Secure Boot status indicator in the Windows Security app. The feature helps users verify whether updated Secure Boot certificates are installed before the legacy 2011 certificates begin expiring in June 2026.
Microsoft adds Secure Boot certificate status to Windows Security app
Microsoft said it is updating the Windows Security app to show Secure Boot certificate status indicators and clearer guidance for users as the 2011 certificates approach expiration. The change is intended to help users understand whether their systems have current certificates and what action, if any, is needed.
Microsoft details Secure Boot rollout edge cases in March 2026 AMA
In March 2026, Microsoft engineers discussed the Secure Boot certificate transition in an AMA, outlining deployment edge cases and enterprise guidance. They said Legacy BIOS systems are skipped, Secure Boot-disabled devices must be properly enabled before receiving the update, and environments using PXE, Hyper-V, Windows Server, or customized Secure Boot configurations require special handling and testing.
OEMs coordinate firmware updates for affected systems
PC manufacturers including HP, Dell, Lenovo, Asus, and Microsoft published or referenced guidance for firmware and BIOS updates needed on older devices to support the new Secure Boot certificates. HP specifically said it is working with Microsoft to provide updates for supported Windows 11 PCs before the legacy certificates expire.
Microsoft begins broad rollout of refreshed Secure Boot certificates
Microsoft began rolling out updated Secure Boot certificates through monthly Windows updates for supported devices, with automatic delivery for systems using Microsoft-managed updates. The company said some systems will also need OEM firmware updates before the new certificates can be applied.
Microsoft publicly warns of June 2026 Secure Boot certificate expiration
On February 10, 2026, Microsoft and multiple outlets highlighted that the original 2011 Secure Boot certificates will begin expiring in late June 2026. Microsoft said devices that miss the update will still boot but will enter a degraded security state with reduced boot-level protections and limited ability to receive future pre-boot mitigations.
Microsoft releases February Windows update with Secure Boot changes
On February 10, 2026, Microsoft released Windows 11 23H2 cumulative update KB5075941, which included Secure Boot-related changes. The update refreshes Boot Manager components on devices that already trust the Windows UEFI CA 2023 certificate.
Microsoft starts limited deployment of new certificates to some Windows 11 devices
Since January 2026, Microsoft has been deploying refreshed Secure Boot certificates to some Windows 11 24H2 and 25H2 systems. This marked the beginning of the broader rollout ahead of the June 2026 expiration deadline.
Microsoft ships KB5070879 with early Secure Boot expiration warning
On 2025-10-23, Microsoft released out-of-band update KB5070879 for Windows Server 23H2. The support notice warned that commonly used Secure Boot certificates would begin expiring in June 2026 and urged organizations to review guidance and update certificates in advance.
Microsoft publishes Secure Boot key management guidance for hardware partners
Microsoft published Windows Secure Boot key creation and management guidance on Microsoft Learn for OEMs and device manufacturers. The documentation provided implementation guidance ahead of the broader 2026 rollout tied to the expiration of the legacy 2011 Secure Boot certificates.
New PCs begin shipping with updated Secure Boot certificates
Many newly built devices started shipping with the newer Secure Boot certificates baked into firmware in 2024, reducing the need for later remediation. Reports indicate most systems shipped in 2025 already include the updated trust anchors.
Microsoft issues replacement Secure Boot certificates
Microsoft issued new Secure Boot certificates in 2023 to replace the original 2011 trust chain that is set to expire in June 2026. The new certificates form the basis of a long-term transition for Windows devices and OEM firmware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
48 references tracked. Mallory keeps watching after this page renders.
Your Windows PC has a security deadline in June 2026 | Malwarebytes
malwarebytes.com
Open sourceMicrosoft reveals what happens to Windows 11 PCs if you ignore the Secure Boot deadline in June 2026
windowslatest.com
Open sourceHow To Update Secure Boot Active Database from BIOS | Dell US
dell.com
Open sourceWindowsin Secure Bootin varmenteet vanhenevat kesäkuusta 2026 alkaen. Mitä se tarkoittaa organisaatioille ja käyttäjille? | Traficom
kyberturvallisuuskeskus.fi
Open sourceOctober 23, 2025-KB5070879 (OS Build 25398.1916) Out-of-band - Microsoft Support
support.microsoft.com
Open sourceOriginal Equipment Manufacturer (OEM) pages for Secure Boot - Microsoft Support
support.microsoft.com
Open sourceMicrosoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support
support.microsoft.com
Open sourceWindows Secure Boot Key Creation and Management Guidance | Microsoft Learn
learn.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Rolls Out Automatic Secure Boot Certificate Replacement in Windows 11
Microsoft began **automatically replacing expiring Secure Boot certificates** on eligible **Windows 11 24H2 and 25H2** devices via Windows quality updates, using a phased rollout that targets “high-confidence” devices based on successful update signals. The change follows earlier warnings that commonly used Secure Boot trust anchors will start expiring in **June 2026**, which could disrupt secure boot validation on UEFI systems if not remediated. Secure Boot relies on firmware-stored certificates to verify bootloader signatures and prevent pre-boot malware (e.g., rootkits) from loading. Microsoft warned that failing to update these certificates can lead to loss of **Windows Boot Manager trust** and **Secure Boot protections**, and may prevent devices from receiving future security updates for pre-boot components—creating both availability and security risk. For organizations that need tighter control, Microsoft also provides **manual deployment options** (e.g., via registry-based methods and enterprise management tooling such as policy/configuration controls) to ensure certificate updates are applied ahead of expiration and to validate Secure Boot status across fleets.
Mar 21, 2026
Windows 11 25H2/24H2 Preview Updates Add AI Features and Flag Secure Boot Certificate Expiration
Microsoft began rolling out **Windows 11 preview updates** for versions **25H2 and 24H2** (including the optional non-security preview update `KB5074105` and Release Preview builds `26200.7701`/`26100.7701`) focused on functionality, performance, and reliability improvements rather than patching new security vulnerabilities. The updates emphasize expanded **AI-driven experiences** (including refinements to Copilot+ PC-related models and more natural-language assistance within Settings), along with usability changes and a simplified Windows update title format intended to reduce administrative friction in tools like **WSUS** and **Microsoft Configuration Manager**. Alongside these feature updates, Microsoft highlighted an operational security risk: **Windows Secure Boot certificates** used by most Windows devices are expected to begin expiring in **June 2026**, and organizations that do not update Certificate Authority (CA) material in time may face devices that cannot boot securely. Separately, consumer guidance circulated on bypassing Windows 11 hardware eligibility checks (notably **TPM 2.0** requirements) to upgrade “unsupported” PCs; while this may extend device usability after Windows 10 support ended, it can also undermine Microsoft’s intended security baseline and increase enterprise risk if adopted outside controlled policy.
Mar 21, 2026
CISA and NSA Guidance on Managing UEFI Secure Boot to Counter Bootkit Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), has released new guidance urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against persistent bootkit threats. The guidance, published as a Cybersecurity Information Sheet, highlights the risks posed by vulnerabilities such as PKFail, BlackLotus (CVE-2023-24932), and BootHole, which have enabled attackers to bypass Secure Boot protections through misconfigurations, outdated certificates, or the use of test keys. The agencies emphasize that default or neglected Secure Boot settings leave organizations exposed to firmware-level malware that can evade traditional security controls, and recommend routine audits and validation of Secure Boot variables using tools provided by the NSA. The guidance also addresses operational challenges, noting that many enterprises still rely on outdated 2011 Microsoft certificates or have Secure Boot disabled, making them susceptible to both known and emerging threats. Additional real-world examples, such as the HybridPetya ransomware and the Bombshell UEFI shell, underscore the urgency of moving firmware security to the forefront of enterprise cybersecurity policy. Administrators are advised to confirm Secure Boot enforcement, export and analyze configuration variables, and ensure only trusted certificates and hashes are present, thereby strengthening the root of trust and mitigating supply chain and boot-time attack risks.
Mar 21, 2026