The bottom line: Replacement of outdated Secure Boot certificates is necessary by June 2026 to prevent systems from losing the ability to verify new bootloaders and deploy security updates.
Three Microsoft certificates for UEFI Secure Boot, which have secured the boot layer since 2011, will expire between June and October 2026. Without current replacement certificates, affected systems will no longer be able to verify new boot components and will lose protection against pre-boot attacks.
Three Microsoft certificates currently shape UEFI Secure Boot and originate from 2011: the Microsoft Corporation KEK CA 2011 (expires 24 June 2026), the Microsoft UEFI CA 2011 (27 June 2026), and the Microsoft Windows Production PCA 2011 (19 October 2026). These certificates sign critical boot components and updates to the signature and revocation database, which block bootkits.
An expired certificate does not render devices unusable – systems will continue to start, and previously trusted bootloaders remain trusted. The actual problem is more subtle: with the expiration of KEK CA 2011, Microsoft can no longer provide signed updates to revocation lists. New entries against bootkits will no longer reach devices. At the same time, new bootloaders and boot components signed only with 2023 certificates will no longer be verifiable. Security posture at the boot layer freezes at the 2026 level – instead of updating protective measures, systems can only load outdated bootloaders. Linux is explicitly affected via the Third-Party UEFI CA: fresh Linux installations or security updates to Shim after June 2026 will fail verification.
Microsoft is replacing these certificates with updated versions from 2023: the Microsoft Corporation KEK 2K CA 2023, the Microsoft UEFI CA 2023, and Windows UEFI CA 2023, with the third authority also being split into a separate Option ROM UEFI CA 2023. The transition requires careful planning, as changes to Secure Boot variables alter PCR7 measurements, which will cause BitLocker to prompt for the recovery key. Microsoft recommends temporarily disabling BitLocker before the update.
Source: www.cert.at · Published 16 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.