Microsoft is revamping the core security of its startup process, replacing the original Secure Boot certificates from 2011 with new, long-term credentials valid until 2038. This transition will begin in June 2026.
A Necessary Security Refresh
Microsoft has initiated a multi-phase process to replace the original Secure Boot certificates issued in 2011 with new certificates dated 2023. The transition modifies the Unified Extensible Firmware Interface (UEFI) at the firmware level and is scheduled to run from June 2026 through October 2026. The 2011 certificates are approaching cryptographic expiration, while the 2023 certificates are valid until 2038.
Secure Boot certificates verify that the initial software loading processes, which occur before Windows starts, have not been tampered with. These certificates are part of Secure Boot, a standard platform integrated into the firmware of modern Windows systems, typically enabled by default via UEFI. The certificate refresh is designed to maintain security of the PC startup process, allowing only trusted firmware and components to load before Windows.
The deprecation generally applies to Windows 10 version 1607 and later, and all versions of Windows 11. To receive certificate updates for Windows 10, systems must be enrolled in the Extended Security Updates (ESU) program.
The 2023 certificates expire in 2038, but Post-Quantum cryptography mandates are expected by 2030.
How the Transition Works
The update process is BitLocker-aware and may cause multiple automatic reboots. According to Microsoft's Richard Powell (Group Engineering Manager), multiple reboots are expected due to three phases: staging, firmware application, and bootloader loading.
The transition involves two main stages:
- The new Secure Boot certificate becomes available to Windows
- That certificate is subsequently applied to the system firmware
Many systems will temporarily remain in the first stage as Microsoft gathers telemetry and reliability data before pushing firmware-level changes.
Update Rollout
Microsoft is rolling out the update in phases via Controlled Feature Rollouts (CFR) and Latest Cumulative Updates (LCU). Automated updates for most users began rolling out in 2024. Microsoft hosted an "Ask Microsoft Anything" (AMA) session in March 2026 to address technical questions.
System Requirements and Limitations
- Legacy BIOS Systems: The update is skipped on systems where SecureBootCapable = False
- Disabled Secure Boot: The update errors out if Secure Boot is disabled; if Secure Boot is disabled, this deprecation does not affect the system
- Windows Server: Windows Server does not participate in automated CFR; administrators must apply certificates manually via PowerShell
- Hyper-V: Both host and guest virtual machines must be updated for the Key Exchange Key (KEK) update to complete (per Arden White, Principal Security Engineer)
Impact on Systems
After June 2026
Systems without the 2023 certificate will still boot but will stop receiving:
- Boot-critical updates
- Malware blacklists (DBX revocation lists)
Future OS Upgrades
Operating system upgrades beyond Windows 11 version 26H2 will require the 2023 certificate.
Consequences of Non-Compliance
Failure to update certificates will prevent Windows from maintaining current boot-time security features and databases, potentially exposing the system to vulnerabilities. Expired certificates do not prevent code from loading or executing; other software layers determine the response to unverified code. Responses can range from a notification in Event Viewer to interference with software functionality, such as BitLocker disk encryption. Enterprise-managed systems, with multiple security layers, may experience more restrictive responses.
Event Viewer Logs
Users may observe new TPM-WMI errors in Event Viewer, particularly after installing the February 2026 Patch Tuesday update (KB5077181). These logs, such as Event ID 1801 with messages like "BucketConfidenceLevel: Under Observation – More Data Needed," represent status checks during the phased rollout and do not indicate system errors or failures.
Windows can download and stage new certificates within the operating system before they are adopted by the firmware. This staging process results in logs that appear as errors but are informational status messages.
Verifying Update Application
To confirm successful application of the new certificate in Event Viewer:
- Navigate to Windows Logs > System
- Filter by
TPM-WMI(orMicrosoft-Windows-TPM-WMI) as the event source - Look for Event ID 1808 (successful application of new Secure Boot certificate) and Event ID 1034 (DBX revocation list update confirmation)
Checking Certificate Status
Windows Security
Users can verify certificate status in Windows Security > Device Security > Secure Boot section:
- Green: All certificates are applied
- Yellow or Red alerts: Action required
PowerShell
Users can verify if the Windows UEFI CA 2023 certificate is present using PowerShell:
- Open PowerShell as administrator
- Run:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') Trueindicates the certificate is present;Falsemeans the device is awaiting the certificate
It is possible for the PowerShell check to return
Truewhile Event Viewer still shows pending messages, as the OS-level update can precede firmware application.
Enterprise Monitoring
Enterprises can use PowerShell scripts from aka.ms/GetSecureBoot or monitor Event ID 1801 under TPM WMI events.
Administrator Guidance
Enterprise Deployment
Scott Shell (Principal Software Architect) stated that the update process handles CSM-enabled devices normally, but blanket enterprise deployment of the "Enable Secure Boot Certificate Updates" policy is not recommended. IT administrators should test on specific hardware models first.
PXE Boot Scenarios
A single boot.wim can only offer one Boot Manager. Microsoft has not updated the default boot.wim to 2023 certificates; administrators can manually update it with DISM after fleet firmware update.
Custom Secure Boot Modifications
Microsoft relaxed the check for its Owner GUID to prevent breaking BitLocker on customized enterprise machines.
User Actions Required
Most users are not expected to need to take action, as Windows systems typically update certificates automatically when Secure Boot is enabled. The BIOS date can be checked by typing "msinfo32" into the Windows start menu search field.
Users who have modified update frequencies or disabled Secure Boot should ensure their certificates are updated. Systems that have not been turned on recently should be powered on and updated.
If certificates remain unapplied after enabling Secure Boot and running Windows Update, users may need to consult instructions specific to their computer or motherboard manufacturer.
BIOS Update Guidance
Users are not required to immediately update their BIOS. Microsoft does not directly push firmware changes; these are controlled by device manufacturers. BIOS updates should only be considered if explicitly instructed by the manufacturer or if the update documentation specifically mentions Secure Boot certificate changes. Users should avoid manual modifications like clearing Secure Boot keys or enabling Setup Mode.