Microsoft has begun rolling out replacement Secure Boot certificates to millions of Windows PCs, a firmware-level overhaul that will decide which devices continue receiving critical pre-boot security patches after 2026. The original certificate chain, baked into UEFI firmware when Windows 8 launched in 2012, was designed with finite lives—and its final expiry dates are now firmly on the calendar. For most home users who keep Windows Update running, the switch will happen silently. For IT admins, Linux enthusiasts, and anyone clinging to Windows 10 past its October 2025 support cutoff, the clock is ticking louder.
A Primer on Secure Boot’s Chain of Trust
Secure Boot is a UEFI feature that blocks unsigned or tampered boot code from executing. It works through a hierarchy of cryptographic keys stored in firmware variables: the Platform Key (PK), Key Exchange Key (KEK), the signature database (db) that whitelists authorized bootloaders, and the revoked database (dbx) that blacklists known-malicious binaries. When Microsoft ships a patch for the Windows Boot Manager or other pre-boot components, it signs those files with its own keys. The firmware checks those signatures against the certificates stored in the KEK and db. If the certificate is missing or has expired, the update is rejected.
That’s the core of the problem. The 2011-dated certificates that established this trust for the entire Windows PC ecosystem are reaching the end of their validity. Microsoft cannot sign new boot updates with expired keys, and firmware that lacks the 2023 replacement certificates won’t trust those updates. A device won’t brick overnight, but it will go without fixes for bootkits and other firmware-level threats—a quietly accumulating security debt.
What Expires and When
Microsoft has published a detailed support document listing the affected certificates. The key dates to watch:
- June 2026: Several 2011 KEK and UEFI CA certificates begin expiring.
- October 2026: The Microsoft Windows Production PCA 2011 certificate reaches its expiration.
After these deadlines, any new Secure Boot-related update signed with the 2011 keys cannot be applied to devices that haven’t ingested the 2023 chain. The replacement certificates were issued in 2023 and are being distributed now through two channels: Windows Update for the operating system side, and UEFI firmware updates from OEMs for the hardware side.
Who Is Affected—and What Breaks If They Don’t Act
Home Users on Windows 10 and Windows 11
If you run an up-to-date Windows 10 or 11 machine and let Microsoft manage Windows Update, the new certificates will arrive automatically for most devices. Microsoft’s backend can inject the 2023 db and KEK entries without a full BIOS flash. The process is designed to be transparent. The biggest risk for this group is disabling updates for months or resetting firmware to factory defaults, which can wipe the new keys and leave a system unable to boot an updated boot manager.
Enterprises and IT-Managed Fleets
Organizations that curate their own update pipelines or use WSUS, Configuration Manager, or third-party patching tools must take deliberate action. While Microsoft can deliver the certificates to Windows Update for Business devices, many corporate images rest on validated firmware baselines that may not yet include the 2023 certificates. IT teams need to inventory every device’s Secure Boot variable state, coordinate with OEMs for BIOS/UEFI updates that embed the new keys, and test rollouts carefully. Dell, for example, has already published advisories for its server and client platforms, warning that some older models will not receive firmware updates at all—meaning those devices will never trust post-2026 boot updates.
Windows 10 and the End-of-Life Cliff
Support for Windows 10 version 22H2 ends on October 14, 2025. After that date, only machines enrolled in the Extended Security Updates (ESU) program or running certain LTSC/LTSB editions will receive the new Secure Boot certificates through Microsoft’s official channels. Unsupported Windows 10 PCs—including those that simply didn’t enroll or cannot meet Windows 11’s hardware requirements—will miss the certificate update entirely. They will continue to boot, but they will no longer receive pre-boot security patches, turning them into long-term footholds for bootkit attacks. For businesses that plan to stay on Windows 10, ESU enrollment is not just a matter of monthly security patches; it’s now a prerequisite for maintaining boot integrity after 2026.
Linux Distributions and the Shim Fallout
A parallel but distinct expiry affects the Linux ecosystem. Most distributions use a small first-stage bootloader called shim, which is signed by a Microsoft third-party UEFI CA. That signing key is set to stop being used around September 11, 2025. After that cutoff, new shim binaries signed with the replacement key will not boot on firmware that lacks the 2023 third-party CA certificate. Existing shim images signed before the deadline will generally continue to work thanks to timestamping. But fresh install media, updated kernels, or emergency shim patches issued after September 2025 will fail on older systems. This creates a compatibility trap: a user with a perfectly functional Linux installation might not be able to boot a newly downloaded Ubuntu or Fedora image unless their UEFI firmware has been updated to trust the 2023 third-party CA. Distributors are scrambling to document the fix and to push updated shim packages, but the real bottleneck remains OEM firmware updates.
The Rollout Plan: Microsoft vs. OEMs
Microsoft’s strategy rests on a dual delivery mechanism. Through Windows Update, the operating system can update the db and KEK variables with the 2023 certificates for many machines—particularly those that use Microsoft-managed updates and have a UEFI firmware that permits variable writes from the OS. This is the “automatic” path that will cover the majority of consumer devices.
OEMs, however, are responsible for embedding the certificates directly into firmware images. These updates typically come as BIOS/UEFI flash packages. Lenovo, HP, Dell, Asus, and others have begun releasing firmware updates that include the 2023 keys, but the pace is uneven. Older hardware, low-volume systems, and white-box machines may never receive such updates. In those cases, the only fallback is the Windows Update path—if the device remains on a supported OS version and Microsoft can write to the firmware variables.
An important operational trap: performing a CMOS reset or restoring UEFI defaults will often revert the db and KEK back to the factory state, which likely contains only the 2011 certificates. An otherwise patched machine may suddenly refuse to boot until the 2023 certificates are re-enrolled manually. Microsoft’s documentation outlines a recovery process using a specially prepared USB drive, but the procedure is not trivial and varies by manufacturer.
Strengths of Microsoft’s Approach
The company deserves credit for getting out ahead of the expiry—an event baked into the original design of Secure Boot—with public documentation, step-by-step guidance, and a phased rollout that avoids a single flag day. The use of Windows Update to deliver the certificates de-fangs the problem for the largest user base: consumers who rarely venture into UEFI settings. Microsoft has also separated the new certificates into distinct roles (boot loader vs. option ROM), giving admins finer control over their firmware trust stores, which can improve security posture in environments that need to restrict option ROM execution.
Risks, Unknowns, and Failure Modes
Despite the planning, several cracks remain.
Vendor Update Gaps: Firmware updates are entirely at the OEM’s discretion. Devices from smaller brands or those older than five years are likely to be orphaned. These systems will boot, but they’ll be frozen on whatever boot manager version was current at the time the 2011 certificates expired. Any vulnerability discovered later will remain open indefinitely.
Linux Compatibility Snags: The September 2025 shim signing transition introduces a hard compatibility break. While Microsoft’s own documentation focuses on Windows, the third-party CA update is equally essential for dual-boot setups and pure Linux machines. Community forums already report cases where UEFI firmware refuses to accept new db updates through standard tools like fwupd and vendor utilities, leading to bricked boot sequences or blue screens.
Firmware Reset Achilles’ Heel: A simple step like clearing the CMOS or choosing “Load Optimized Defaults” can silently strip away the 2023 certificates, leaving the system unbootable. IT departments that routinely reset firmware as a troubleshooting step need to update their playbooks immediately and stock recovery media loaded with the necessary certificate files.
Tooling Pitfalls: Utilities that manipulate Secure Boot variables—from PowerShell’s Set-SecureBootUEFI to Linux’s efi-updatevar—can behave unpredictably across platforms. In some reported instances, attempting to append the 2023 certificate has corrupted the variable store, requiring a full firmware reflash or motherboard replacement. Testing on a representative hardware sample isn’t a luxury; it’s a hard requirement.
Practical Steps for Every User Role
Home Users
- Keep Windows Update enabled and do not pause updates for extended periods.
- Avoid resetting UEFI firmware to defaults unless you have a USB recovery key prepared.
- If you’re on Windows 10 and can’t upgrade to Windows 11, evaluate whether enrolling in ESU after October 2025 is feasible; otherwise, accept that your boot security will stagnate after 2026.
IT Administrators
- Inventory: Use configuration management tools or custom scripts to query the current db and KEK contents on all endpoints. Identify which devices already have the 2023 certificates.
- Categorize: Split devices into those that receive Microsoft-managed updates and those that rely on separate firmware packages.
- Prioritize: Begin testing OEM firmware updates that include the 2023 certificates. Focus first on devices that will never get the update through Windows Update.
- Test Recovery: Simulate a firmware reset on each model and verify that the recovery USB procedure works.
- Document: Create clear, vendor-specific instructions for re-enrolling certificates and distribute them to the help desk.
- Plan for Windows 10 ESU: If any fleet devices must remain on Windows 10, enroll them in ESU before the October 2025 deadline to ensure certificate delivery.
Linux Users and Distributors
- Check your distribution’s shipping shim version. If it uses the 2023 CA, verify that your firmware trusts the “Microsoft Corporation UEFI CA 2011” and the newer “Microsoft UEFI CA 2023” or “Microsoft Third-Party UEFI CA 2023.”
- Distributors should release updated ISO images and shim packages signed with the new key, along with clear instructions for enrolling the certificate manually via MOK Manager or firmware utilities.
- End users can proactively enroll the 2023 third-party CA using a tool like
mokutilif their firmware supports it, or wait for a vendor BIOS update.
Timeline: What to Expect Between Now and October 2026
- Mid-2025 through early 2026: Microsoft expands the Windows Update push of the 2023 certificates and works with OEMs to certify firmware updates.
- September 11, 2025: The Linux shim signing key cutover. Distributions begin shipping images signed with the new third-party CA; firmware without the 2023 CA will reject them.
- June 2026: The first batch of 2011 KEK certificates expires. Devices still using only 2011 keys will stop accepting new boot-component updates from Microsoft.
- October 2026: The Windows Production PCA 2011 certificate expires, marking the definitive end of the old chain.
The Bottom Line
This isn’t a panic-inducing, drop-everything crisis—it’s a methodical, infrastructure-level migration that the industry has known about for over a decade. For the vast majority of Windows users who let Microsoft manage their updates, the shift will be invisible. The danger lies at the edges: in unmanaged fleets, unsupported operating systems, aging hardware that OEMs have abandoned, and the intertwined Linux shim ecosystem. The machines most at risk will not suddenly crash; they will simply become frozen-in-amber targets for bootkits that exploit the next BlackLotus-style vulnerability. By inventorying, testing, and acting on firmware updates now, both home users and enterprises can ensure that secure boot remains actually secure well beyond 2026.