From Singapore: A security maintenance effort spanning the entire Windows ecosystem is quietly moving toward a June 2026 deadline that could leave hundreds of millions of computers vulnerable to boot-level attacks if the details go overlooked.
Secure Boot certificates originally issued in 2011 begin expiring in June 2026. These cryptographic keys, stored in a PC's firmware, act as the foundation for Windows' ability to verify that only trusted software runs during system startup. When they expire, affected devices will face a choice: update the certificates proactively or accept a weakened security posture.
The good news for most users is straightforward. Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed. The new Secure Boot certificates will be installed automatically via regular monthly updates for customers who allow Microsoft to manage Windows updates on their systems. Additionally, many PCs manufactured since 2024, and the vast majority shipped last year, already include updated certificates.
Devices that haven't received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the boot process itself. This limits the device's protection against emerging threats and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third-party bootloaders.
What makes this situation more than a routine maintenance task is the complexity of the underlying infrastructure. Secure Boot is a chain of trust, a hierarchy of cryptographic certificates stored in firmware. The DB contains the certificates that your PC trusts to sign bootloaders, drivers, and firmware components, functioning like a guest list for your boot process. Three separate Microsoft certificates expire at different times: two in June 2026 and a third in October 2026.
For IT administrators managing corporate fleets, the picture becomes more complex. Windows Server does not receive the 2023 Secure Boot certificates automatically, so IT administrators must manually update the certificates, unlike Windows PCs, which receive them through monthly updates. Organisations need to coordinate with hardware manufacturers to ensure firmware updates are available before applying new certificates.
The risk is not theoretical. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit. When the 2011 certificates expire, systems operating without updates become increasingly vulnerable to such attacks, as they cannot receive new mitigations for newly discovered boot-level vulnerabilities.
A particular concern centres on older devices. Older devices, especially those no longer supported by the manufacturer, require attention. While the firmware should perform the update operations correctly, some may not. In cases where the firmware does not work correctly and the device is no longer in support, organisations may need to consider replacing the device to ensure Secure Boot protection.
For home users keeping their systems updated through standard Windows Update, action is optional; the system will handle the certificate refresh automatically. For businesses, schools, and organisations managing their own device fleets, the message is clearer: Start by checking the UEFICA2023Status registry key to track deployments, and apply OEM firmware updates across all devices before the Windows certificate update lands. Estimate 48 hours and one or more restarts for the certificates to apply.
Microsoft has characterised this as one of the largest coordinated security maintenance efforts across the Windows ecosystem, as it involves firmware updates across millions of device configurations from many hardware manufacturers. That scale reflects both the achievement of deploying the update and the risk inherent in any system-wide change affecting hardware and software across so many configurations.
The deadline itself is not negotiable. June 27, 2026 is when the first certificates expire. PCs will not brick themselves on that date, but every day after it without updated certificates is a day the boot process is less secure than it should be. Reasonable people can differ on whether such a staggered approach was optimal, but the priority now is clear: devices need to be current.