Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: secure-boot (1 article)Clear

Deploy 2023 Secure Boot certificates before Microsoft's 2011 ones expire this week

The original 2011 Microsoft certificates that underpin UEFI Secure Boot begin expiring in late June 2026, and organizations that have not rolled out the replacement 2023 certificates risk a slow erosion of boot-level security. Devices will keep starting normally, but once the old certificate authorities lapse they stop receiving Secure Boot updates for pre-boot components, leaving them more exposed to bootkits, and future bootloaders signed only with the new keys may fail to verify. Most consumer Windows PCs receive the 2023 certificates automatically through Windows Update, but Windows Server and many self-managed or older fleets need manual action. A second certificate that signs the Windows bootloader expires in October.

Check
Inventory Windows devices and servers with Secure Boot enabled and check whether the 2023 certificates are present using the Windows Security app, the UEFICA2023Status registry value, or System log Event ID 1808.
Affected
Windows devices, servers, and VMs still relying on the 2011 Secure Boot certificates; Windows Server and self-managed systems are most at risk because they do not receive the 2023 certificates automatically.
Fix
Apply current cumulative and OEM firmware updates, deploy the 2023 KEK and DB certificates (manually on servers), verify completion, and suspend BitLocker if prompted during the update to avoid recovery prompts.