Microsoft's original Secure Boot certificate chain, minted in 2011, will begin expiring in June 2026, forcing a long-planned infrastructure-wide transition to a newer 2023 certificate. The change will trigger additional mandatory reboots on Windows PCs, servers, and recovery media as the new root of trust is laid down. Every device that relies on Microsoft’s UEFI Secure Boot ecosystem must absorb the switch, or risk being rendered unbootable once the old certificates are revoked.

The certificate rotation is not a sudden emergency—it is the predictable consequence of a PKI design decision made over a decade ago. What makes it noteworthy now is its scale and the user-visible impact: a cascade of firmware updates, Windows updates, and extra restart cycles that will roll out over several months starting in mid-2026.

What Secure Boot Actually Does

Secure Boot is a UEFI firmware feature that ensures only trusted software loads during the boot process. At power-on, the firmware checks each component’s digital signature against a database of allowed certificates. If the signature is missing or invalid, the firmware halts the boot. This protects against bootkits and rootkits that attempt to hijack the OS before it even starts.

Microsoft operates its own UEFI Certificate Authority (CA) that signs third-party bootloaders, option ROMs, and recovery tools. The root certificate for this CA, along with various intermediate certificates, is embedded in the firmware by OEMs. When a certificate expires, firmware is supposed to reject any binary signed after the expiry date, though practical enforcement varies widely.

The 2011 certificate chain—technically the “Microsoft Corporation UEFI CA 2011”—has a 15-year validity. A successor, “Microsoft Corporation UEFI CA 2023,” was created with a 20-year lifetime, extending to 2043. The plan has always been to migrate Windows devices to the new chain before the old one expires.

Why Certificates Expire and What Changes

Public key infrastructure relies on expiration to limit the fallout from key compromise and to force cryptographic agility. A 2011 certificate uses algorithms and key lengths that, while still acceptable, are becoming long in the tooth. The 2023 chain uses a SHA-256 hash and a 2048-bit RSA key, consistent with modern NIST recommendations, but the primary driver is the expiration clock, not an immediate security flaw.

Starting with the June 2026 cumulative update, Windows Update will begin delivering the new 2023 CA certificate to devices. The update will place the certificate into the UEFI Secure Boot signature database (the “db”) and, optionally, into the forbidden signature database (the “dbx”) to explicitly revoke the 2011 chain once it is safe to do so. These database modifications cannot be applied while the firmware is running; they require a reboot into a special update mode.

Devices that have already received the 2023 certificate via a firmware update will still need the Windows update to align the OS-level trust. Conversely, devices that only get the OS update without a corresponding firmware update may find themselves unable to boot after the 2011 certificate is revoked, because the firmware itself still trusts only the old chain.

The Extra Reboots, Explained

A standard Windows cumulative update requires a single restart. The Secure Boot certificate switch will demand at least two distinct reboots, and potentially three, depending on the current state of the device:

  1. First reboot: The Windows update initiates the certificate installation. After the restart, the boot manager adds the 2023 certificate to the firmware’s db. This operation happens early in the boot process, before the OS loads.
  2. Second reboot: The system restarts again so that the firmware can re-read the modified signature database and boot with the new certificate fully trusted.
  3. Possible third reboot: If the system also applies a revocation update that adds the 2011 CA certificate to the dbx, an additional firmware reboot may be necessary to activate the blacklist.

Microsoft’s engineering guidelines describe this as a “multi-phase” update. The extra restarts are unavoidable because UEFI variables are non-volatile but require a cold reset to take effect. Users will see a notification that a critical security update requires multiple restarts, similar to firmware update prompts today.

Phased Rollout Across the Ecosystem

Microsoft will not push the entire ecosystem onto the 2023 chain on a single day. The transition will span at least 18 months, in overlapping phases:

  • Phase 0 (now through 2025): PC OEMs and firmware vendors embed the 2023 certificate in new devices. Windows 11 already recognizes the 2023 chain. The existing 2011 certificate remains in the db for backward compatibility.
  • Phase 1 (June 2026 – September 2026): Windows Update begins offering the 2023 certificate to Windows 11 and Windows 10 devices that do not already have it. This phase will be gradual, with throttling based on device telemetry. No revocations yet—the 2011 certificate still validates.
  • Phase 2 (October 2026 – March 2027): Microsoft publishes an update that adds the 2011 CA certificate to the dbx on devices that have successfully booted with the 2023 chain for a minimum period. The revocation is one-way; once applied, any bootloader signed only with the 2011 chain will be blocked.
  • Phase 3 (April 2027 onward): The 2011 certificate is fully deprecated. Future hardware may ship without it. Old recovery media and unbootable Windows installations that haven’t been updated will require a dedicated firmware utility to recover.

The phased approach gives enterprises time to test and manage the update via tools like Windows Update for Business. Servers will follow a similar schedule but with additional controls to avoid unexpected reboots in data centers.

Devices Most Affected

The impact of the switch depends heavily on the device type and its current firmware posture:

Consumer PCs and Laptops

Most new consumer laptops sold since 2023 already have the 2023 certificate in firmware, thanks to OEM pre-loading. These devices will receive the Windows update, perform the extra reboots, and continue working. Older machines that haven’t received a firmware update in years could face a boot failure if the revocation is applied before the 2023 certificate is added. Microsoft will likely block the revocation update on such devices until firmware is updated, but users who defer updates for too long might get caught.

Enterprise and Server

Servers are more conservative with reboots. The extra restart cycle could cause unplanned downtime when the update is applied, especially if administrators misinterpret the multi-reboot notification. Hypervisors and clustered nodes will need careful sequencing. Windows Server 2025 and Azure Stack HCI will be the first server products to go through the transition, as they already trust the 2023 certificate natively.

IoT and Embedded Devices

Windows IoT devices that run locked-down custom boot loaders may not have a clear path to update firmware. If the 2011 certificate is the only trusted root, and the OEM never issued a firmware update with the 2023 certificate, the device will become a brick once revocation hits. Microsoft’s IoT team is expected to release guidance specific to common SoC platforms, but the fragmentation makes blanket statements impossible.

USB Recovery Media

Every Windows USB recovery drive created with the Media Creation Tool includes a bootloader signed under the current certificate. Starting mid-2026, freshly created recovery media will be signed with the 2023 chain. Media created before the transition will fail to boot on machines that have revoked the 2011 certificate. IT departments will need to regenerate installation and recovery media to match the firmware state of their fleet.

Virtual Machines

Generation 2 Hyper‑V VMs and Azure VMs use a synthetic firmware that inherits the host’s certificate store. In most cases, applying the host update will update the VM’s firmware transparently. However, saved VM states from before the update may not restore correctly. Microsoft recommends shutting down VMs cleanly before the host transition and discarding old saved states.

User and Administrator Actions

For the average Windows user, the certificate change will manifest as an unusually long update cycle with two or three restarts. Microsoft will surface a clear
“Secure Boot certificate update” status in Windows Update, with explanatory text. The key action is simple: do not interrupt the reboot loop; let the process complete.

Enterprises will need to:
- Audit their hardware inventory for devices lacking the 2023 certificate in firmware. Tools already exist in the Windows Assessment and Deployment Kit that
can query the Secure Boot variable state.
- Deploy firmware updates proactively during maintenance windows, ideally before June 2026.
- Update deployment tasks for the OS update to expect multiple reboots, adjusting any monitoring that would flag a third reboot as a failure.
- Recreate all bootable USB recovery media, deployment ISOs, and pre‑boot execution environment (PXE) boot loaders after the transition date.
- Test critical line‑of‑business applications that rely on custom boot-time drivers or third‑party bootloaders. These must be signed with the 2023 chain.

Microsoft’s official guidance will be published in a support article and via the Windows release health dashboard several months before the first wave.

Risks of Ignoring the Transition

Refusing the update is not a viable long-term strategy. Once the 2011 certificate is revoked, any attempt to boot a Windows installation that hasn’t absorbed the new key will fail. The device will display a “Security certificate expired” or “Invalid signature detected” message and refuse to proceed. Recovery will then require manual firmware manipulation, often involving clearing the Secure Boot keys, which disables Secure Boot entirely and increases attack surface.

Even if an organization decides to keep the 2011 chain alive by never applying the revocation update, they will lose the ability to boot any modern Windows version. Future Windows releases will eventually be signed exclusively with the 2023 chain. Remaining on the 2011 ecosystem is a dead end.

How Microsoft Is Communicating the Change

Microsoft plans a multi-channel communication strategy similar to the SHA-1 deprecation or the TLS 1.0/1.1 removal. Expect:
- Blog posts on the Windows IT Pro Blog and the Security blog detailing the technical rationale and timeline.
- A dedicated KB article with a Q&A section for common scenarios.
- In-product notifications via the Windows Update page and the Microsoft 365 admin center.
- Direct outreach to OEM partners and silicon vendors to align firmware delivery.

The company has been embedding the new certificate in firmware specs since at least 2022, so the industry is largely ready. The remaining challenge is execution at scale across a billion devices.

The Bigger Picture: A More Secure Boot Future

The certificate rotation is not merely administrative housekeeping; it lays the groundwork for future security improvements. The 2023 chain supports a cleaner revocation mechanism and can be more easily integrated with device attestation services like Microsoft Azure Attestation. It also simplifies the boot chain by retiring older intermediate certificates that were required for legacy compatibility.

While two extra reboots in 2026 may irritate users, the alternative—a crumbling trust infrastructure—would be far worse. The transition underscores a fundamental truth of modern computing: cryptographic trust is perishable and must be refreshed. The June 2026 deadline is the expiration date printed on a very important envelope, and when it arrives, Windows will open it, reboot twice, and move on.