Windows secure-boot certificate expires

Microsoft is preparing a broad Secure Boot certificate rollover before the current Windows-era certificates begin expiring in late June 2026. The certificates, first issued in 2011, sit in UEFI firmware and help verify that bootloaders and other pre-OS components are trusted before Windows starts. Microsoft said supported Windows devices need newer 2023 certificates to keep receiving future Secure Boot protections. (techcommunity.microsoft.com) The change also reaches beyond Windows because some Linux systems rely on Microsoft-signed boot components. (support.microsoft.com) ### Which certificates are expiring, and why does that matter? Secure Boot was introduced with Windows 8 and uses certificates stored in firmware to validate code that runs before the operating system loads. Microsoft said the original certificates used across Windows systems are nearing the end of their lifecycle after about 15 years of service, with expirations beginning in June 2026. (learn.microsoft.com) The trust chain starts with the platform key, then key-enrollment keys, and then the allowed and disallowed signature databases known as DB and DBX. Microsoft said any device still relying on the older 2011 certificates needs the newer 2023 certificates to maintain boot-level protection as future updates are issued. (techcommunity.microsoft.com) ### Will a Windows PC stop booting on the expiration date? Microsoft’s support guidance says devices that have not received the newer certificates will generally continue to start and receive standard Windows updates. The immediate risk is not that every machine fails on June 26, 2026, but that affected systems may no longer be able to accept future protections for early-boot components such as Windows Boot Manager, Secure Boot databases and revocation lists. (support.microsoft.com) Microsoft also says higher-risk cases can include Secure Boot validation errors, BitLocker recovery prompts, startup hangs and devices failing to boot, especially where firmware is outdated or certificate remediation does not apply correctly. The company advises checking event logs for Event ID 1801 and 1795 and verifying whether the `UEFICA2023Status` registry value shows the expected updated state. (support.microsoft.com) ### Which systems are in scope? Microsoft’s Windows IT Pro guidance says the affected estate includes physical machines and virtual machines running supported versions of Windows 10, Windows 11, Windows Server 2025, 2022, 2019, 2016, 2012 and 2012 R2, including LTSC releases. Microsoft said Copilot+ PCs released in 2025 are not affected. (support.microsoft.com) Nuno Costa, a partner director in Windows servicing and delivery, wrote in February that many newer PCs built since 2024 — and almost all devices shipped in 2025 — already include the updated certificates. That leaves the main operational burden on older in-market devices and the organizations that manage them. (learn.microsoft.com) ### Why does Linux show up in a Windows certificate story? Microsoft said Linux systems that dual-boot with Windows depend on certificate updates that Windows installs in firmware. SUSE said the Microsoft certificates used to verify existing shims expire in June 2026 and that shims signed with a new key will require updated firmware certificates. (techcommunity.microsoft.com) Red Hat drew a narrower distinction. Pradeep Jagtap wrote in February that existing RHEL systems that boot today should continue to boot after June 26, 2026, because the expiration affects signing of new boot components rather than already trusted ones. Red Hat said it plans updated shims for supported releases, starting with RHEL 9.7, after testing. (blogs.windows.com) ### What are administrators supposed to do now? Microsoft said organizations should first identify devices still using 2011 Secure Boot certificates, then update firmware, test on pilot groups and deploy certificate remediation through supported tools such as Intune, Group Policy and configuration service providers. The company said Microsoft-managed monthly updates are already rolling out new certificates to in-support Windows devices. (techcommunity.microsoft.com) Microsoft’s current documentation points administrators to its Secure Boot certificate update guidance and rollout landing page before the late-June 2026 deadline. SUSE tells customers to install firmware updates containing the new certificates and then apply shim updates, while Red Hat says supported releases will receive newly signed shims as the transition proceeds. (developers.redhat.com) (techcommunity.microsoft.com) (learn.microsoft.com)