Microsoft has issued a new reminder that the phased rollout of Secure Boot certificate updates remains on track, urging IT administrators and Windows users to continue deploying the necessary changes to avoid future boot failures. The June 2026 advisory emphasizes that the transition to the 2023 Microsoft Corporation UEFI Certificate Authority (CA) is entering a critical stage, and any delay could leave systems stuck in the legacy trust model.

Behind the scenes, the company has been working for years to replace aging Secure Boot certificates that are either expiring or have been compromised. This effort isn’t just a routine security patch—it’s a fundamental shift in how Windows verifies the integrity of boot components, from the firmware all the way up to the operating system loader.

Why Secure Boot Certificates Matter

Secure Boot is a cornerstone of Windows security, designed to prevent unauthorized or malicious code from running during the boot process. It relies on digital certificates stored in the UEFI firmware’s signature database (DB) to validate bootloaders, option ROMs, and other pre-OS components. When a boot binary is signed by a trusted CA, the firmware allows it to execute; otherwise, the device halts.

The problem is that the original Microsoft Corporation UEFI CA certificates issued in 2011 are no longer considered trustworthy. Several high‑profile security incidents—most notably the BlackLotus bootkit—demonstrated how attackers can exploit weaknesses in the boot chain when outdated, signed components are still allowed. BlackLotus was able to bypass Secure Boot even on fully patched Windows 11 systems by leveraging a vulnerability in the legacy boot manager, underscoring the urgency of migrating to newer, more secure certificates.

The Road to 2023 Trust

To address this, Microsoft defined a two‑phase transition to a new CA certificate generated in 2023. The first phase only adds the 2023 CA to the Secure Boot DB, ensuring that devices can accept signatures from both the old and new CAs. The second phase revokes trust in the old CA by publishing a DBX (Secure Boot Forbidden Signature Database) update that blocks any binary signed solely by the legacy certificates.

Microsoft originally introduced the CA addition update as KB5007401 for Windows 10 and Windows 11, delivered through Windows Update. The DBX revocation update came later, most notably as KB5012170, and it has been distributed with extra caution because applying it to a device that hasn’t first added the new CA can render the machine unbootable. That’s exactly why the rollout has been phased and monitored closely.

What Changed in June 2026

The June 2026 communication is not a new deployment start but a reinforcement of the existing strategy. According to internal Microsoft guidance shared with OEMs and enterprise customers, the focus is now on closing the gap: all devices that received Phase 1 must complete Phase 2 with the revocation update. The messaging, summarized as “Stay the Course Toward 2023 Trust,” signals that the window for skipping or postponing the update is narrowing.

Several data points highlight the progress:
- Telemetry shows that over 85% of eligible PCs already have the 2023 CA certificate in their DB.
- Microsoft has begun increasing the rollout velocity of the DBX update, making it available to more seekers in Windows Update.
- OEM partners are releasing a fresh wave of UEFI firmware updates that embed the new certificates directly, reducing reliance on the Windows Update servicing stack.

Validation tooling—such as the Microsoft Secure Boot Certificate Update Tool—has been updated to help administrators check compliance. This tool can query a device’s DB and DBX contents, confirm whether both Phase 1 and Phase 2 updates are installed, and highlight any discrepancies that need manual remediation.

What IT Administrators Must Do Now

For organizations still lagging, the June 2026 advisory contains clear guidance:

  • Audit your fleet immediately. Use the Microsoft Update Catalog or Windows Update for Business reports to identify machines that haven’t received KB5007401 (or its superseding updates) and the latest DBX update.
  • Run the Secure Boot validation scripts. Microsoft provides PowerShell modules and a standalone executable that can be integrated into standard deployment pipelines. These will flag devices with outdated firmware or mismatched certificates.
  • Coordinate with your OEM. Many business‑class PCs—especially those from Dell, HP, and Lenovo—require a manufacturer‑specific firmware update to fully support the 2023 CA. Without that UEFI capsule, even a successfully applied Windows Update may not be sufficient.
  • Test Phase 2 in a controlled pilot. The DBX revocation update is designed to be non‑disruptive when all prerequisites are met, but complex hardware configurations or custom bootloaders can still cause boot failures. A staged rollout within your organization mirrors Microsoft’s own approach and helps catch corner cases early.
  • Plan for the endgame. Although Microsoft hasn’t publicly announced a date for completely deprecating the legacy CA, the June 2026 push strongly suggests that a hard cutoff is coming. Systems that haven’t migrated by that point will not only miss out on security hardening but could become unbootable when the old certificates are finally considered invalid.

Potential Pitfalls and How to Avoid Them

Applying Secure Boot database updates is not without risks. Microsoft itself paused the initial KB5012170 rollout in 2022 after reports of boot failures on certain Lenovo and Acer devices. The underlying issue often stems from a mismatch between the OS‑level update and the firmware’s actual state: if the DBX list received by Windows contains hashes that the firmware cannot process, the update reverts or hangs.

Other common challenges include:
- Dual‑boot or custom UEFI setups. Machines running Linux alongside Windows may have their bootloaders revoked if they rely on shims signed by the old CA. Coordination with the Linux distro maintainers is essential—Red Hat, Ubuntu, and others have already released updated shims, but those must be applied before the DBX update.
- Aftermarket PC components. Custom‑built desktops or third‑party UEFI firmware (e.g., OpenCore on older Macs) might not present the expected Secure Boot interface to the OS, causing the update logic to fail silently. In such cases, manual application of the DBX file via the UEFI shell may be required.
- Virtual machines. Hyper‑V and VMware guests with Secure Boot enabled inherit the host’s DB and DBX state, so host updates automatically affect guests. Administrators should ensure that guest operating systems remain compatible; otherwise, VMs could fail to start.

To mitigate these risks, Microsoft recommends using the Secure Boot Certificate Update Tool’s “simulation mode.” This mode performs a dry run of the DBX revocation and reports any certificates that would be blocked without actually modifying the system, giving IT staff a chance to resolve conflicts proactively.

The Bigger Picture: A More Secure Windows Ecosystem

The migration to the 2023 CA isn’t happening in a vacuum. It’s part of a broader industry effort to strengthen firmware‑level security. The Trusted Computing Group (TCG) and UEFI Forum have been pushing for better certificate lifecycle management, and Microsoft’s phased approach is becoming a model for other operating system vendors.

Once the legacy Microsoft Corporation UEFI CA is fully deprecated, the attack surface exploited by bootkits like BlackLotus will shrink dramatically. Future Secure Boot updates can be issued more quickly and with less risk because the remaining trusted CAs will have modern cryptographic standards and shorter validity periods.

For enterprise customers, the June 2026 advisory is a clear signal: the time for action is now. Those who have already completed both phases can rest easy; those who haven’t should treat the next few months as a priority. The path to 2023 trust is well established, and the only remaining step is to stay the course.

Microsoft has not yet announced whether future Windows releases—such as Windows Server 2026 or Windows 11 24H2—will require the new certificates by default, but the direction is unmistakable. The June 2026 reminder makes it plain that Secure Boot certificate updates are no longer optional maintenance—they are fundamental prerequisites for keeping Windows devices bootable and secure in the years ahead.