Microsoft Secure Boot Certificate Refresh Triggers June 2026 Deadline for Windows PCs
What Happened – Microsoft is rolling out a Secure Boot certificate refresh via Windows Update. The UEFI‑level certificates embedded in Windows devices since 2011 expire between June 24 and October 19 2026 and are being replaced with new 2023‑dated certificates that remain valid through 2038.
Why It Matters for TPRM –
- Devices that fail to receive the new certificates will lose future boot‑level security updates, widening the attack surface for bootkits.
- OEMs, MSPs, and any organization that relies on Windows‑based endpoints must verify that their hardware fleet is compliant before the deadline.
Who Is Affected – Enterprises with Windows PCs (desktop, laptop, and thin‑client) across all industries; OEMs and OEM‑managed services that ship or support legacy hardware.
Recommended Actions –
- Verify that Windows Update is enabled on all endpoints and that the latest Secure Boot certificate bundle is installed.
- Inventory legacy devices (pre‑2012 models) and test the certificate transition in a controlled environment.
- For devices that cannot be updated, plan for replacement or isolation from critical workloads.
Technical Notes – The refresh replaces three 2011 certificates (Microsoft KEK CA 2011, Microsoft UEFI CA 2011, Microsoft Windows Production PCA 2011) with 2023‑dated equivalents (Windows UEFI CA 2023, Microsoft KEK 2K CA 2023). No new CVE is disclosed; the risk is loss of future Secure Boot updates, which protect against boot‑level malware such as bootkits. Source: Malwarebytes Labs