Microsoft’s May 2026 Patch Tuesday update (KB5031000) has begun rolling out the most significant Secure Boot certificate transition since the UEFI CA rotation in 2023. With the current Secure Boot certificates set to expire on June 27, 2026, the update deploys fresh certificates to the UEFI signature database and introduces a new visible SecureBoot folder on Windows 11 devices. This measure is designed to prevent boot failures when the old certificates lapse next month.

Secure Boot, a UEFI firmware feature mandated on PCs shipped with Windows 8 and later, verifies the digital signatures of bootloaders and operating system loaders before execution. It relies on a chain of certificates rooted in the Microsoft UEFI CA. The certificates that validate Windows components are typically embedded in the firmware by the OEM, but they have a lifespan. The current set of certificates—Microsoft Corporation UEFI CA 2011 and its derivatives—expires in June 2026. Without updated certificates, systems may refuse to boot Windows or other signed operating systems, leading to widespread ‘Secure Boot failure’ errors.

The Expiration Clock Is Ticking

Microsoft had previously executed a similar rotation in early 2023, pushing new UEFI CA certificates via Windows Update and firmware capsule updates. That process, however, was somewhat opaque and left many users unaware until the old certificates expired. This time, the company is making the transition more transparent, especially on Windows 11, with a dedicated SecureBoot folder.

KB5031000, an optional cumulative update preview for May 2026, installs updated Secure Boot certificate packages on devices running Windows 10 version 22H2 and later, and all Windows 11 versions. The update is set to become a mandatory security update in June’s Patch Tuesday to ensure broad coverage before the expiration. It delivers certificates not only to the UEFI firmware’s ‘db’ (authorized signature database) but also updates the ‘dbx’ (forbidden signatures database) to revoke the old certificates once the transition is complete.

A New SecureBoot Folder on Windows 11

The most visible change comes to Windows 11. After installing the update, users will find a new folder, C:\Windows\Boot\SecureBoot\, which contains .cer files for the current and new certificates, along with .bin files for the UEFI revocation list. This folder is accessible via File Explorer with elevated permissions. Microsoft says the folder offers IT administrators and advanced users a direct way to verify which certificates are present in the system’s Secure Boot configuration without rebooting into UEFI settings. It also lays the groundwork for future certificate updates—a model akin to how Windows handles root certificate updates for the OS itself.

The SecureBoot folder is not just a convenience. It represents a shift toward decoupling firmware trust from OEM-specific implementations, part of an internal effort codenamed Project Cerberus. By storing certificates on the Windows file system, Microsoft can push updates more aggressively without waiting for firmware vendors. However, the firmware’s Secure Boot variables still take precedence; the folder serves as a read-only mirror and, on UEFI-update failure, as a secondary trust source.

Deployment Machinery: How the Update Works

The update introduces a phased delivery system. In the first stage, certificates are added to the UEFI ‘db’ but marked with a timestamp so they do not take effect immediately. In the second stage, after a predefined grace period (likely after the June 2026 Patch Tuesday), the old certificates are revoked and the new ones become the primary trust anchors. Windows Update coordinates this with a firmware capsule that writes the changes to the EFI system partition. For devices with locked-down firmware, Microsoft has partnered with major OEMs to push corresponding UEFI firmware updates through Windows Update, ensuring that even systems without active OEM support get the necessary updates.

Early feedback from Insiders indicates that some older hardware may encounter write-protection errors when the firmware capsule attempts to update the UEFI variables. Microsoft has mitigated this by falling back to a software-based Secure Boot policy that loads certificates from the disk if the firmware update fails. This fallback ensures that the system remains bootable even with outdated UEFI firmware, but it slightly reduces the security integrity until the firmware is properly updated.

Timeline at a Glance

Date Event
May 13, 2026 Optional preview update KB5031000 adds new certificates to UEFI db with future timestamp
June 10, 2026 Mandatory security update KB5032000 enforces the rotation, revoking old certificates and activating new ones
June 27, 2026 Expiration date of old certificates; any system not updated may fail to boot

Impact on Users and Enterprises

For most home users, the transition will be seamless. The update installs in the background and requires a single reboot. However, for organizations using custom bootloaders, dual-boot Linux setups, or virtualization platforms that rely on Secure Boot, the changes demand careful testing. Linux distributions that use a signed shim bootloader will need to ensure their shim is updated to include the new certificates; otherwise, they may fail validation once the old certificates are revoked. Similarly, virtual machines using Secure Boot—such as Hyper-V or VMware—may need reconfiguration to trust the new certificates. Microsoft has warned that after the June 2026 enforcement, any boot application signed only with the expiring certificates will be blocked.

The Linux community has been preparing for this rotation since 2024. Major distributions like Ubuntu, Fedora, and Debian have already embedded both the old and new certificates in their shim binaries. But users of older versions or custom kernels must manually enroll the new certificates using MOK (Machine Owner Key) management or risk being locked out. The SecureBoot folder can assist by providing the exact .cer files for manual enrollment.

IT administrators should audit their UEFI configurations and ensure all firmware is up to date. Microsoft recommends deploying the May preview update in test rings immediately and using tools like PowerShell’s Confirm-SecureBootUEFI cmdlet to verify the certificate store. The SecureBoot folder provides a human-readable inventory, but the ultimate authority remains the UEFI firmware variables. Enterprise customers using Windows Update for Business or Microsoft Endpoint Manager can stage the rollout and monitor compliance via Azure Update Compliance dashboards.

What Happens If You Skip the Update?

Skipping the update entirely is risky. After June 27, 2026, any device that has not received the new certificates may fail to boot, displaying a Secure Boot violation error. Recovery options include disabling Secure Boot—which is not recommended for security and may impact future Windows feature eligibility—or booting from a recovery drive to manually apply the certificate package. Microsoft has published a standalone MSU package (KB5035000) that can be injected offline, but prevention is always easier than cure.

The Bigger Picture: A New Chapter in UEFI Management

This update sets a precedent for ongoing certificate lifecycle management within UEFI. With quantum computing threats on the horizon, more frequent rotations and algorithm upgrades are likely. The SecureBoot folder may evolve into a more integrated Certificate Manager, giving users finer control over what boots on their hardware. Microsoft’s transparency push—making the folder visible—could also pressure OEMs to provide better firmware update support long after a device’s initial sale.

How to Verify Your System is Ready

To check which Secure Boot certificates are active on your system, follow these steps:
1. Press Win + R, type powershell, and run as administrator.
2. Execute Confirm-SecureBootUEFI to see the certificate details.
3. Alternatively, navigate to C:\Windows\Boot\SecureBoot\ (on Windows 11) and inspect the .cer files.
4. For a graphical view, use the UEFI firmware settings, typically accessible via Advanced startup options.

If the new certificates are not present after installing KB5031000, try manually triggering a UEFI firmware capsule update through Device Manager: find ‘System Firmware’, right-click, and select ‘Update driver’. In stubborn cases, a full firmware update from the OEM’s website may be necessary.

Final Thoughts

The May 2026 Secure Boot certificate rotation is a necessary housekeeping step that, if ignored, could render countless systems unbootable. By starting early and surfacing the SecureBoot folder, Microsoft is equipping users and IT pros with the tools to navigate the transition smoothly. Now is the time to test, update, and ensure your device is ready for June 2026. Do not wait until the last minute—a blue Secure Boot error screen is far less pleasant than a proactive update.