Millions of Windows PCs face a ticking clock: the Secure Boot certificates anchoring trust for countless devices since 2011 expire at the end of June 2026. Microsoft’s remedy — a staggered rollout of updated certificates and revocation lists — has already begun, but many machines still lack the critical firmware updates needed to keep the trust chain intact. For organizations and power users, the next steps could mean the difference between a seamless transition and a fleet of unbootable systems.

Secure Boot isn’t just another checkbox in the UEFI firmware. It’s the gatekeeper that validates every piece of code before it runs, from the bootloader to the OS kernel. When a PC powers on, the firmware checks the digital signature of each component against a database of trusted certificates. If the signature doesn’t match, the system halts. The root of this trust — the Key Exchange Key (KEK) — traces back to Microsoft’s 2011 Certificate Authority (CA). But certificates don’t last forever. The Microsoft Corporation KEK CA 2011 will expire on June 28, 2026, rendering all binaries signed with it distrusted on machines that rely on the current revocation database.

Microsoft isn’t waiting for the deadline to pass. Since 2022, the company has been issuing updates to the UEFI Secure Boot Forbidden Signature Database (DBX) and rolling out a new CA — the Microsoft Corporation KEK CA 2023. The DBX is a blocklist of compromised or outdated keys; when a certificate expires, its entries move from the trust list to the revocation list. The June 2026 update pushes the 2011-era certificates into the DBX and adds the 2023 CA to the firmware’s trusted store. Without this update, a PC will still boot, but it will reject future bootloaders, drivers, and operating system components signed exclusively with the new CA. In practice, that means Windows Update might fail to install the next major feature update, or secure-boot-dependent features like Hypervisor-Protected Code Integrity (HVCI) will stop working.

The mechanics of the update are deceptively simple. Microsoft delivers the DBX update through Windows Update under the classification “Security Update for Secure Boot DBX.” Typically labeled with a KB number like KB5012170 (a foundational update from 2022 that extended DBX coverage), these payloads are not ordinary patches. They require writing directly to the UEFI firmware, which can take several minutes and demands that the device be connected to AC power. The update also checks whether the firmware itself has implemented the necessary UEFI variable storage. Some older systems — particularly those manufactured before 2016 — may lack the required flash storage space, and the update will fail to install. Microsoft’s telemetry shows a non-trivial percentage of machines hitting this wall.

For IT admins, the 2026 deadline demands a two-pronged audit. First, identify which devices still trust only the 2011 CA. The easiest test: open an elevated PowerShell prompt and run Confirm-SecureBootUEFI. If the result shows True and the SecureBootConfigured property is set to 1, Secure Boot is on, but that doesn’t verify the certificate version. A more precise check involves inspecting the KEK entries. Using the Get-SecureBootUEFI -Name KEK command reveals the thumbprint of the enrolled CA. Admins should look for a certificate with Subject like CN=Microsoft Corporation KEK CA 2011 versus CN=Microsoft Corporation KEK CA 2023. If both are present, the device has received the update; if only the 2011 CA appears, the system is vulnerable.

Second, ensure the DBX update is actually installing. The update history in Windows Update lists successful DBX patches. However, a failure doesn’t always surface as an error code. Often, the update simply doesn’t appear in the catalog for that device because of firmware incompatibility. Microsoft’s compatibility check uses a tool called sechelp that probes for a minimum 32KB of free space in the firmware’s authenticated variable region. If the check fails, the update won’t be offered. In some cases, a firmware update from the OEM can remedy the situation. Major vendors like Dell, HP, and Lenovo have been releasing UEFI capsules that optimize variable storage to accommodate the new DBX.

The stakes are highest for enterprises with large fleets of older hardware. A 2018 laptop running Windows 10 might still be in production but never have received a firmware refresh. When the 2011 CA expires, those machines could boot into a recovery screen if a future Windows update includes a bootloader signed solely by the 2023 CA. Even if the OS continues to boot, Secure Boot’s protective shield will essentially be disabled for any component that hasn’t been re-signed. Attacker techniques like bootkits that exploit pre-boot vulnerabilities become viable again. Microsoft’s own guidance warns that “devices that don’t install the DBX update will not be able to validate components signed with the 2023 CA, potentially exposing users to security risks even if Secure Boot appears enabled.”

A common misconception is that the 2026 deadline means PCs will stop working entirely. That’s not the case. The system will still power on, and the current OS installation will continue to boot because the existing boot files were signed with the still-trusted 2011 CA. The breakage comes later: when a new boot manager or kernel driver signed with the 2023 CA needs to load, the firmware will refuse it. This could manifest as a blue screen during the next major Windows 11 update or a silent failure of virtualization-based security. The timing of the update matters; Microsoft has been nudging users to install the DBX update for over two years, but adoption has been slow because many IT departments prioritize functional testing over firmware maintenance.

To avoid a last-minute scramble, Microsoft recommends applying the DBX update now and verifying the presence of the 2023 KEK. The latest cumulative DBX update, released in spring 2025, includes all previous revocations and ensures compatibility with the next generation of boot media. Organizations that image their own operating systems need to update their bootable media to include the new certificate. If you’re using Windows Deployment Services or Microsoft Endpoint Configuration Manager, the boot images must be regenerated from the latest ADK and WinPE add-ons, which already incorporate the 2023 CA. Failure to refresh deployment images means newly provisioned machines might not trust the boot sequence and fail to launch the imaging environment.

For security-conscious environments, there’s a proactive step that goes beyond the minimum: apply the DBX update manually using the Microsoft Secure Boot DBX Update for Windows 10 and later from the Microsoft Update Catalog. This forces the revocation list update even if Windows Update hasn’t deemed the machine ready. The catch: if the firmware doesn’t have enough storage space, the tool will error out with a message like “This update cannot be applied because of insufficient firmware space.” In such cases, the only recourse is to update the UEFI firmware to a version that reclaims space, often by retiring deprecated entries. Enterprises can track progress using Microsoft Intune’s report for “Windows 10/11 Secure Boot DBX update” status, which aggregates compliance across the estate.

The industry has seen similar transitions before. The 2019 bootkit attack known as “BootHole” forced a massive DBX update to revoke vulnerable GRUB2 bootloaders. That event taught the ecosystem that firmware updates are not trivial: some users had to disable Secure Boot temporarily to install the patch, and certain third-party bootloaders became permanently non-functional. The 2026 transition is smoother in one respect: the certificates are expiring naturally, not being revoked in response to a vulnerability. But the operational disruption can be identical. Linux dual-boot users on modern distributions that use the Microsoft-signed shim bootloader are equally affected; they need the same DBX updates and may require distribution upgrades to align with the 2023 CA trust anchor.

Microsoft’s communication around the deadline has improved since the early days of Secure Boot. The company published a detailed timeline on the Windows Hardware Dev Center, complete with sample UEFI capsule images for OEMs to integrate. It also collaborated with UEFI.org to standardize the process across the industry. Still, the burden falls on end users and IT staff to act. A simple check can prevent a nightmare: if your PC is already running the latest Windows 11 with all updates installed, you’re likely fine. To confirm, open the System Information app (msinfo32), select “System Summary,” and look for “Secure Boot State.” It should say “On” and, in the details, list the enrolled KEK thumbprints. If the 2023 CA is present, you’re ready for June 2026.

For those running Windows 10, the path is slightly murkier. Mainstream support for Windows 10 ended in October 2025, but the operating system still receives extended security updates through 2026 under certain licensing programs. The DBX update itself is independent of the OS lifecycle; it’s a firmware-level change. However, Microsoft’s update delivery channel for Windows 10 may not push the most recent DBX payloads as aggressively. Admins should manually download the latest DBX MSU file from the Update Catalog and deploy it. If the machine still refuses the update, consider upgrading to Windows 11, which includes firmware compatibility improvements baked into the hardware requirements.

The June 2026 date appears far off, but the complexity of firmware updates in large organizations means lead time is essential. Each machine might need its own firmware update from the OEM, which itself must be tested against existing security software that hooks into the boot process. A phased approach, starting with a pilot group, can reveal hidden issues like third-party full-disk encryption products that rely on a specific boot chain. In the worst case, a system that can’t be updated will need to have Secure Boot disabled permanently, reducing its defense against rootkits. The alternative—purchasing new hardware—is costly but sometimes unavoidable for critical legacy workloads.

As the deadline approaches, expect Microsoft to ramp up notifications. Already, the Windows Update history page labels the DBX update with an “Important” banner on affected devices. The Microsoft 365 admin center and Windows Update for Business reports surface compliance statistics. When the clock strikes midnight on June 28, 2026, the update will transition from optional to mandatory for any device that wants to continue receiving security patches. Those who ignore it will still log in and work, but they’ll be running blind against boot-level threats—a risk that no modern enterprise should accept.