Microsoft Secure Boot Certificate Transition Leaves Older PCs Without Future Boot Protections
Microsoft warned that Secure Boot certificates issued in 2011 are nearing expiration and that devices which do not receive the newer 2023 Secure Boot update will generally keep booting, but may stop receiving future boot-chain protections. The gap affects some older Windows systems whose OEMs no longer provide compatible BIOS or UEFI updates, as well as devices running Legacy BIOS, CSM mode, or unsupported Windows 11 configurations with Secure Boot disabled. Microsoft is reportedly skipping incompatible hardware rather than forcing updates that could cause failures, but enterprises may still face compliance, cyber-insurance, and lifecycle-management pressure because those endpoints could miss future DBX revocations, Windows Boot Manager updates, and mitigations for bootloader threats such as BlackLotus.
The transition is also creating planning challenges beyond Windows. Linux distributions that rely on Microsoft-signed shim loaders are expected to continue booting on systems that already trust the older Microsoft UEFI CA, but older PCs that never receive firmware updates with the 2023 certificates may have trouble booting newer Linux media or releases. The issue follows Microsoft's broader effort to harden the pre-boot environment after flaws such as CVE-2024-21302, a Windows Secure Kernel Mode elevation-of-privilege bug that could let an administrator roll back VBS-related files to bypass protections; Microsoft responded with boot-time code integrity policies, an optional SkuSiPolicy.p7b revocation policy, and stronger protections on newer Windows releases. Administrators are being urged to verify Secure Boot update status, update firmware and recovery media where possible, and document compensating controls or replace hardware that cannot be brought forward.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft's 2011 Secure Boot certificates begin expiring
Microsoft's Secure Boot 2011 certificates begin expiring on June 24, 2026. Reporting notes this does not immediately stop older Windows PCs from booting, but it can prevent affected systems from receiving future boot-level security updates such as DBX revocations and Boot Manager updates.
Microsoft rolls out Secure Boot 2023 certificate update broadly
Ahead of the first 2011 Secure Boot certificate expiration on June 24, 2026, Microsoft expanded the rollout of replacement 2023 Secure Boot certificates to eligible Windows 10 and Windows 11 devices. The update preserves the ability to receive future boot-level security updates, and Microsoft added Windows Security status reporting plus guidance about firmware incompatibilities and OEM BIOS updates.
ZDNET reports Linux Secure Boot concerns over 2011 certificate expiry
ZDNET reported that Microsoft Secure Boot certificates from 2011 are approaching expiration in 2026, raising concerns about future Linux boot compatibility on UEFI systems. The article says existing systems should generally keep booting, but older PCs without firmware updates carrying Microsoft's 2023 Secure Boot certificates may not boot newer Linux distributions.
Microsoft documents CVE-2024-21302 and VBS rollback mitigations
Microsoft published guidance for CVE-2024-21302, a Windows Secure Kernel Mode elevation of privilege vulnerability that can let an administrator roll back VBS-related system files to vulnerable versions. The guidance describes mitigations including a default-enabled Microsoft-signed CI policy and an optional revocation policy, SkuSiPolicy.p7b, along with deployment and recovery considerations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Windows 11 Secure Boot update released to all, hours ahead of expiry
windowslatest.com
Open sourceA Critical Deadline Is Approaching for Windows and Linux Security | WIRED
wired.com
Open sourceMicrosoft reveals how to verify Windows 11's Secure Boot update, what to do if your PC missed it
windowslatest.com
Open sourceLinux users face a Microsoft Secure Boot headache - here's the painkiller | ZDNET
zdnet.com
Open sourceGuidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support
support.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Secure Boot Certificate Refresh Ahead of 2011 Certificate Expiration
Microsoft has started deploying updated **Secure Boot** certificates via regular monthly Windows updates to replace the original 2011-era certificates that begin expiring in **late June 2026**. Secure Boot, introduced in 2011 for UEFI-based systems, helps prevent pre-OS malware (e.g., bootkits/rootkits) by allowing only trusted, properly signed boot components to load, using a certificate chain anchored in UEFI firmware and validated against trusted signature databases. The expiring components include Microsoft-issued certificates used in the Secure Boot trust chain (including the **Key Exchange Key (KEK)** and Microsoft **UEFI CA/Production CA** certificates), which are present on most PCs built since 2011 and also affect many Linux distributions that rely on Microsoft’s UEFI signing ecosystem. Microsoft says the refresh will be automatic for in-support Windows devices where updates are Microsoft-managed, while organizations can also control deployment through their own management tooling; the effort is positioned as a large-scale ecosystem maintenance activity involving coordination across many OEM firmware configurations.
May 28, 2026
Microsoft Rolls Out Automatic Secure Boot Certificate Replacement in Windows 11
Microsoft began **automatically replacing expiring Secure Boot certificates** on eligible **Windows 11 24H2 and 25H2** devices via Windows quality updates, using a phased rollout that targets “high-confidence” devices based on successful update signals. The change follows earlier warnings that commonly used Secure Boot trust anchors will start expiring in **June 2026**, which could disrupt secure boot validation on UEFI systems if not remediated. Secure Boot relies on firmware-stored certificates to verify bootloader signatures and prevent pre-boot malware (e.g., rootkits) from loading. Microsoft warned that failing to update these certificates can lead to loss of **Windows Boot Manager trust** and **Secure Boot protections**, and may prevent devices from receiving future security updates for pre-boot components—creating both availability and security risk. For organizations that need tighter control, Microsoft also provides **manual deployment options** (e.g., via registry-based methods and enterprise management tooling such as policy/configuration controls) to ensure certificate updates are applied ahead of expiration and to validate Secure Boot status across fleets.
Mar 21, 2026
Microsoft expands Secure Boot fixes as Windows updates hit install and recovery issues
Microsoft released the June cumulative update `KB5093998` for Windows 11 23H2 with security fixes, broader Secure Boot certificate rollout support, and a new Group Policy/MDM option to limit Secure Boot service data sent to Microsoft. The update also fixes a known issue that could force some devices into **BitLocker Recovery** after boot file updates, while CERT/CC and Microsoft separately published advisories on a Secure Boot bypass affecting Microsoft-signed UEFI shim bootloaders, tracked as `CVE-2026-44815`. At the same time, Microsoft warned that some PCs upgraded from Windows 10 21H2/22H2 or Windows 11 23H2 to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, showing errors `0x80073712` or `0x800f0993` because of package and component store issues. Microsoft said an automatic fix is rolling out for unmanaged enterprise and Home devices after restart, while already affected systems may require removing a problematic package with DISM or performing an in-place upgrade; separate reporting also said recent HP BIOS updates and Dell SupportAssist software caused BitLocker loops and BSODs that were initially blamed on Windows but traced to OEM firmware and utilities.
Jun 17, 2026