Tech Insights for Windows Specialists' Daily Reading

Tech Insights for Windows Specialists' Daily Reading

In June 2026, Windows systems will require an update to their Secure Boot certificates due to the expiration of the legacy 2011-era certificates. This update is crucial to ensure that devices continue to boot securely and remain capable of pre-boot updates without failure.

The process involves Microsoft distributing updated Secure Boot certificate packages via staged Windows Update releases. These updates will update the UEFI variables storing key trust anchors such as the Platform Key (PK), Key Exchange Key (KEK), and the signature databases (db and dbx) that verify firmware and bootloader signatures.

Coordination with hardware and OEM partners is essential because firmware must support updating these keys. For managed environments, updates can be deployed via tools like SCCM or MDM systems, but administrators must validate deployment mechanisms and potentially use manual/offline update paths for firmware or air-gapped systems.

IT administrators preparing for the update should begin inventorying devices now to identify those using legacy certificates to ensure they are included in update plans. The certificate rollover should be treated as a multi-quarter project that includes testing updates early on test devices, coordinating firmware updates with OEM vendors, and staging deployments.

Monitor Microsoft’s official guidance and update releases for known issues and additional instructions. Validate remote provisioning and endpoint management workflows to ensure a smooth rollout and remediation for affected devices. Include Secure Boot certificate update readiness as part of ongoing patch management and security update cycles.

To prevent the loss of the ability to install Secure Boot security updates after June 2026, not trusting third-party software signed with new certificates after June 2026, and not receiving security fixes for Windows Boot Manager by October 2026, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer.

For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on. Secure Boot uses a certificate-based trust hierarchy to ensure that only authorized software runs during system startup.

The affected systems include physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2-the systems released since 2012, including the long-term servicing channel (LTSC).

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, Microsoft expects to update the Secure Boot certificates as part of their latest cumulative update cycle. To maintain timely updates to new certificates for supported Windows systems, it is recommended to let Microsoft manage Windows updates, including Secure Boot.

For more information and resources, bookmark the Windows Tech Community and follow @MSWindowsITPro on X and LinkedIn. Additional resources for Secure Boot, Windows devices, and Enterprise deployment guidance for CVE-2023-24932 are available.

It's important to note that the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932). To maintain the security of affected Windows devices, it's crucial to stay updated with the latest Secure Boot certificates.

A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is essential. Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Air-gapped devices might receive limited support for Secure Boot updates from Microsoft.

For devices that may not receive the new CAs, enabling Secure Boot with guidance from "Windows 11 and Secure Boot" might be necessary. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions. Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and the Windows ecosystem.

The expiration of the Secure Boot certificates can lead to compromised security at startup, threatening the overall security of affected Windows devices, especially due to bootkit malware. To prevent this, it's essential to stay informed and take the necessary steps to update your Secure Boot certificates.

1. To ensure a smooth transition and maintain the security of affected Windows devices, administrators should coordinate with hardware and OEM partners for firmware updates that support the new Secure Boot certificates, as these updates are necessary to validate firmware and bootloader signatures.
2. Given the approaching deadline for the update of Secure Boot certificates on Windows systems, it's crucial for IT administrators to validate their organization's entire Windows ecosystem, ensuring that systems with legacy certificates are included in the update plans to prevent cyber-attacks and security breaches.

Read also: