Microsoft has begun automatically pushing updated Secure Boot certificates to Windows 10 and Windows 11 PCs as part of the June 2026 quality updates, a move designed to preempt widespread boot failures when the original 2011-era certificates expire later this year. The refresh, which quietly broadens an ongoing rollout, applies to all supported devices that meet eligibility criteria, ensuring that Secure Boot continues to validate firmware integrity without manual intervention.

The update addresses a ticking clock that has loomed over the PC ecosystem for more than a decade. When Secure Boot was first introduced with Windows 8 in 2012, the digital certificates used to sign bootloaders, shims, and other UEFI firmware components were issued with a finite lifespan. The primary certificate, often referred to as the “Microsoft Corporation UEFI CA 2011,” is set to expire in 2026. Without replacement, millions of computers would fail to authenticate the boot chain, potentially rendering them unbootable or forcing users to disable Secure Boot entirely—a significant step backward for platform security.

The Expiry Crisis Microsoft Moved Early to Prevent

Secure Boot relies on a chain of trust anchored in cryptographic certificates stored in the PC’s firmware. When the system powers on, UEFI firmware checks the signature of each executable component against a whitelist stored in the Secure Boot database (DB) and a blacklist in the forbidden signatures database (DBX). If a certificate expires and no valid replacement exists, those signature checks can fail. In 2023, Microsoft began issuing new certificates from the “Microsoft Corporation UEFI CA 2023” root, but early deployments were limited to new hardware and intentional opt-in scenarios.

The June 2026 cumulative updates mark the broadest push yet to retire the 2011 certificate. By embedding the 2023 certificate and associated trust anchors into the update process, Microsoft ensures that existing Windows installations automatically accept the new root without requiring a firmware flash or a separate UEFI capsule update. This approach avoids the notorious complexity of BIOS updates, which many users never install.

How the Automatic Certificate Rollout Works

When a PC receives the June 2026 quality update—delivered via Windows Update or WSUS—the servicing stack adds the 2023 Secure Boot certificate to the UEFI signature database if it is not already present. Crucially, this operation is performed while Windows is running, before a reboot, leveraging a signed EFI capsule that the firmware trusts. Microsoft has been testing this mechanism since 2024 on Insider builds and limited production cohorts. The June release expands eligibility to a much wider set of devices.

The rollout is phased. Not every PC will see the change immediately; Microsoft uses telemetry and hardware reports to validate that the capsule installation succeeds before removing safeguard holds. PCs with certain third-party bootloaders or custom firmware configurations may be excluded temporarily. The update also refreshes the DBX blacklist, ensuring that known vulnerable bootloaders—such as those exploited by the BlackLotus UEFI bootkit—remain blocked.

Technical Underpinnings

  • KB Context: The certificate refresh is bundled alongside the June 2026 security fixes, so there is no separate KB article. Devices that install the monthly cumulative update for Windows 10 (version 22H2) or Windows 11 (versions 22H2 through 25H2) will receive the new trust anchors.
  • Eligibility: Systems must have Secure Boot enabled, TPM 1.2 or higher, and a UEFI firmware revision that supports the EFI capsule update protocol. Most PCs built after 2015 meet these requirements.
  • Verification: Users can confirm whether the 2023 certificate is present by running Get-SecureBootUEFI -Name db in an elevated PowerShell session and looking for the certificate thumbprint “C2C0D8A1B4F41D2E” (or similar, depending on the exact signing chain).

Who Is Affected—and What Might Go Wrong

The update targets approximately 1.4 billion devices worldwide. The impact is minimal for most users: after the update installs and the system reboots, Secure Boot continues to function with no change in behavior. However, edge cases do exist.

  • Dual-boot Linux installations: Some Linux distributions use a shim bootloader signed by a different certificate or rely on a machine owner key (MOK). If the 2023 certificate rollout conflicts with existing DB entries, the boot process could break. Microsoft has worked with major Linux vendors (Canonical, Red Hat, SUSE) to ensure their shims are re-signed with the new certificate. Users on older distributions may need to update their shim manually.
  • Custom firmware or modded BIOS: Enthusiasts who have replaced their motherboard firmware with open-source solutions like coreboot may need to manually enroll the new certificate. Without it, Secure Boot validation will fail.
  • Safeguard holds: Microsoft monitors rollback data and may place a hold on a device if it detects repeated boot failures after the update. In such cases, the capsule installation will be automatically retried with future updates.

If a device becomes unbootable, recovery options exist. Disabling Secure Boot in the BIOS will allow the OS to start, but that removes the security guarantees. Re-enabling Secure Boot after the certificate has been successfully applied is recommended. IT administrators can also deploy the capsule manually using the PSFxEfi.dll tool, though that is rarely necessary.

The Bigger Picture: UEFI Security Evolves

This certificate refresh is part of a broader effort to modernize the Secure Boot ecosystem. The 2011 certificate has been a target for researchers and attackers alike. Vulnerabilities such as BootHole (CVE-2020-10713) demonstrated that the old signing infrastructure was fragile. By migrating to a new root, Microsoft can depreciate older algorithms and enforce stricter policies for what gets signed.

Simultaneously, the DBX blacklist continues to grow. The June 2026 update also permanently revokes the bootloader used by the BlackLotus malware, which could bypass Secure Boot entirely by exploiting a signed, but vulnerable, bootloader. That revocation is irreversible once applied, meaning that even if an attacker re-installs an old signed bootloader, it will no longer pass validation.

For enterprise environments, the rollout dovetails with new Windows 11 security baselines that require Secure Boot and TPM 2.0. By ensuring that the trust anchors are current, organizations can confidently enforce BitLocker, Credential Guard, and Hypervisor-protected Code Integrity without worrying about certificate expiry undermining their compliance posture.

Actionable Guidance for Users and IT Pros

  1. Install the June 2026 updates without delay. These are security-mandatory. Windows Update will offer them automatically to all supported editions.
  2. Verify that Secure Boot is enabled. Open msinfo32.exe and look for “Secure Boot State.” It should say “On.”
  3. Check for certificate presence post-update. Use PowerShell as described above. If the 2023 certificate is missing, check for safeguard holds via Get-WindowsUpdateLog.
  4. For dual-boot systems, update your Linux distribution’s bootloader before installing the Windows update. Most distributions will coordinate with the Windows certificate rollout through their own package managers.
  5. Have a Plan B. In rare cases, a motherboard firmware update may be required. Check your OEM’s support page for a UEFI firmware update that specifically mentions the 2023 Secure Boot certificate. Dell, HP, Lenovo, and others have been releasing these since early 2025.

Looking Ahead

The June 2026 rollout closes a long-standing vulnerability window. But it also raises questions about how Microsoft will handle future certificate transitions. The 2023 certificate itself is set to expire in 2036, and by then the industry will have moved to entirely new cryptographic standards. Expect Microsoft to automate even more of this process as Secure Boot becomes inseparable from the Windows trust model.

In the immediate term, the company’s decision to use the monthly quality update stream—rather than a one-off tool or manual upgrade—reflects a maturing approach to firmware security. Ten years ago, a certificate expiry of this magnitude might have caused widespread panic and manual interventions. Today, it arrives as a silent, incremental improvement. Once again, Patch Tuesday has become the delivery vehicle for quiet, critical infrastructure changes that keep the modern PC ecosystem from collapsing under its own technical debt.