Every Windows PC that relies on Secure Boot faces a hard deadline in the summer of 2026. On July 1, 2026, the root certificate that has authenticated the Windows boot process since the days of Windows 8 will expire. And by October, the last legacy UEFI signing certificate will follow. Microsoft is racing to replace that trust infrastructure before millions of PCs are cut off from secure booting. This isn’t a distant worry; it’s a phased transition already underway through Windows Update, one that demands attention from IT professionals and everyday users alike.

The role of Secure Boot certificates

Secure Boot, a cornerstone of UEFI firmware security, ensures that only trusted, signed bootloaders and drivers can start a Windows PC. At its heart, the platform relies on a chain of digital certificates embedded in the firmware’s database (the “db”). For over a decade, the primary signing certificate—the “Microsoft Windows Production PCA 2011”—has vouched for every officially signed Windows bootloader. Its companion, the “Microsoft Corporation UEFI CA 2011,” signed third‑party UEFI drivers and option ROMs. But these certificates were issued in 2011 with a 15‑year validity period. Their expiration is now less than 18 months away.

The two main certificates headed for obsolescence are:

  • Microsoft Windows Production PCA 2011: Expires July 1, 2026
  • Microsoft Corporation UEFI CA 2011: Expires September 15, 2026

Without these, no recent Windows version can pass Secure Boot validation. The result: a bricked boot process, recovery key demands, and a potential avalanche of help desk tickets.

A new chain of trust: Microsoft Windows UEFI CA 2023

To avoid a catastrophic break, Microsoft created a new Public Key Infrastructure in 2023: the “Microsoft Windows UEFI CA 2023” and related certificates. These fresh credentials will take over the job of signing future Windows bootloaders and eventually replace all traces of the 2011 chain. But issuing new certificates isn’t enough. Every single UEFI firmware implementation on every PC and server that runs Secure Boot must be updated to trust the new CA and, when the time comes, to distrust the old one. That demands a multi‑phase, multi‑year rollout.

The phased rollout: from awareness to revocation

Phase 1: Seeding the new CA (2023–2025)

Microsoft initiated the shift shortly after the 2023 CA was created. Through cumulative updates and standalone security patches, Windows Update started adding the new certificate to the Secure Boot “db” variable. This phase was designed to be transparent—the new CA sits alongside the old one, so booting continues as normal. Updates for Windows 10 (version 1507 through 22H2) and Windows 11 (all versions) began shipping the certificate in mid‑2023. If your system is fully patched, it likely already has the 2023 certificate in its firmware store.

For enterprises, this stage means no immediate action beyond regular patch compliance. However, it’s the critical period to audit which devices are actually receiving these updates. Systems with Secure Boot turned off, disconnected from the internet, or running older Windows 10 LTSB branches may fall through the cracks.

Phase 2: Dual‑signing and firmware updates (2024–2025)

With the groundwork laid, Microsoft and its OEM partners started signing bootloaders with both the old and new certificates. This ensures that even after the old certificate is revoked, a patched machine will trust the new signatures. Simultaneously, firmware updates from Dell, HP, Lenovo, and others are adding the new CA directly into the UEFI, so that even a fresh OS installation can boot securely without first receiving a Windows update. Enterprise IT departments are being urged to validate these firmware updates on their fleet hardware.

At this stage, any OS or firmware that hasn’t absorbed the new CA is still running on borrowed time—the old signing is still valid, but the window to act is closing.

Phase 3: Revocation and expiration (2026)

The critical phase arrives next year. On July 1, 2026, the Windows Production PCA 2011 expires. Any bootloader signed only with that certificate will be rejected by a fully updated Secure Boot system. A few months later, on September 15, 2026, the Microsoft Corporation UEFI CA 2011 expires, impacting third‑party UEFI drivers. To prevent a sudden outage, Microsoft will release revocation updates that add the old certificates to the “dbx” (the forbidden list) prior to their natural expiration. Once applied, systems will actively refuse anything signed with the 2011 chain—even if the date hasn’t yet passed. The exact timing of these revocation patches hasn’t been announced, but they’re expected in the first half of 2026.

What happens if you miss the update

The consequences of an unpatched PC are stark. After the old certificate is revoked, an unpatched machine will still try to validate bootloaders against the now‑untrusted 2011 CA. Secure Boot will fail, and Windows won’t start. The user will see a “Secure Boot Violation” or “Invalid signature detected” error. Worse, if BitLocker is enabled, a Secure Boot failure can trigger a recovery key prompt—something that will confuse and alarm ordinary users who have never seen their 48‑digit recovery password. In enterprise environments, help desks could be flooded with calls. Devices that haven’t received the necessary firmware or OS updates will essentially be bricked until they can be manually repaired.

The BitLocker entanglement

The Secure Boot update is deeply intertwined with BitLocker. BitLocker configuration can be set to require a Secure Boot validation pass before unlocking the drive. If the Secure Boot check fails because of an untrusted bootloader, the system will refuse to boot and demand the recovery key. Microsoft’s recent efforts to harden BitLocker—like mandating Secure Boot and PCR7 binding—mean that the overlap is almost universal on modern devices. Admins should verify that all encrypted devices are receiving the new certificates and that their BitLocker recovery information is backed up in Active Directory or Azure AD before the revocation wave hits.

User and IT actions today

For most home users with automatic updates enabled, there’s nothing to do. The necessary updates have been trickling in for months, and any Windows 10 or 11 PC that is routinely patched will already have the new CA. But important caveats remain:

  • Windows 10 versions older than 1507 (like the original 2015 LTSB) may not receive the update; those systems should be upgraded.
  • PCs with Secure Boot disabled will not get the firmware‑level update automatically. If Secure Boot is off, the update package cannot write to the db variable. You may need to enable Secure Boot, update, and then decide whether to leave it on.
  • Custom or dual‑boot setups—particularly with older Linux distributions that rely on the 2011 UEFI CA—could break when the old certificate is revoked. Linux shims signed with the Microsoft Corporation UEFI CA 2011 will stop working unless distro maintainers re‑sign with the 2023 CA.
  • Virtual machines: Hyper‑V Gen2 VMs and VMware VMs with virtual Secure Boot also need the update. Check that the VM’s firmware contains the new certificate; often, hypervisor updates handle this.

How to verify your system has the new CA

Open an elevated PowerShell prompt and run:

Get-SecureBootUEFI -Name db

Look for an entry with the subject “CN=Microsoft Windows UEFI CA 2023”. If it’s present, your machine is ready. You can also check the currently installed updates; Microsoft’s update catalog includes packages specifically for the CA renewal. These are listed as “Security Update for Secure Boot DBX” or similar descriptions.

Enterprise checklist

For IT administrators, the following steps should be completed well before Q2 2026:

  1. Inventory all Windows endpoints and servers, noting Secure Boot status and firmware version.
  2. Deploy the CA update via WSUS, SCCM, or Intune. Test on a representative sample first to catch any firmware incompatibilities.
  3. Work with OEMs to distribute UEFI firmware updates that embed the 2023 CA. Dell Command Update, HP Image Assistant, and Lenovo System Update can automate parts of this.
  4. Back up BitLocker recovery keys to Active Directory or Azure AD. Confirm that recovery procedures work before the revocation hits.
  5. Plan for remediation of devices that miss the deadline. Have a bootable USB with updated firmware and the ability to manually add the CA to the db using tools like PowerShell or EFI shell.

Dual‑boot and Linux considerations

One of the trickiest aspects of this transition is its impact on alternative operating systems. Many Linux distributions rely on a small “shim” bootloader signed by the Microsoft Corporation UEFI CA 2011 to mediate Secure Boot. When that certificate is revoked, older shims will no longer be trusted. Major distributions—including Ubuntu, Fedora, and Debian—have already started shipping shims signed with the 2023 CA, but older installation media and stale GRUB configurations will fail. Users who dual‑boot should:

  • Update their Linux distribution to the latest release and ensure the shim is current.
  • Verify that any custom bootloaders or kernel modules are signed with a key chain that ultimately leads to the 2023 CA.
  • Be prepared to temporarily disable Secure Boot if necessary, though that weakens the system’s security posture.

The broader security picture

The certificate refresh is orthogonal to the infamous BlackLotus UEFI bootkit, but they intersect. BlackLotus abused the fact that the 2011 certificates were still trusted and that the revocation list (dbx) wasn’t enforced early enough. The mitigation for BlackLotus involved applying revocation updates, but those updates themselves initially relied on the 2011 certificates. This renewal ensures that, going forward, all bootloaders are signed with a key that has stronger protection and a clear lifecycle. It’s a chance for Microsoft to apply lessons learned and improve overall Secure Boot resilience.

Looking past 2026

After the transition completes, the Windows UEFI CA 2023 will be the bedrock trust for the next decade. All future Windows versions—Windows 12 and beyond—will be built on this new chain. The 2011 certificates will join the growing dbx graveyard alongside other revocations. The PC ecosystem will have migrated, perhaps for the last time in many years, to a modern cryptographic foundation.

The Secure Boot certificate refresh is a routine but monumental piece of infrastructure maintenance. It’s the digital equivalent of replacing the concrete pillars of a skyscraper while the building remains occupied. With the proper updates already available and more on the way, the path to safety is clearly marked—so long as users and admins take the few simple steps needed to stay on the road.