SIINCO
seguridad·

Your PC's Secure Boot Certificates Expire in June 2026: What Your Business Needs to Do Now

Your PC's Secure Boot Certificates Expire in June 2026: What Your Business Needs to Do Now

If your business uses Windows computers, there's something you need to know: the security certificates that protect the boot process on your systems are about to expire. It's not a virus or a failure — it's a planned change by Microsoft that affects millions of computers worldwide, and if it's not addressed, your systems will be left exposed.

Here's what's happening, why it matters, and what you can do about it.

What Is Secure Boot and Why Should You Care?

Every time you turn on your computer, before Windows appears on screen, a verification process checks that no one has tampered with your system's boot software. This process is called Secure Boot and it's part of your computer's UEFI firmware.

Secure Boot works like a guard at the door: it checks that every piece of software loaded at startup has a valid digital signature issued by a trusted authority. If something doesn't check out — for example, if malware tried to modify the boot process — Secure Boot blocks it.

This protection is especially important because boot-level attacks (known as "bootkits") are among the most dangerous: they load before your antivirus and can be virtually invisible.

What's Happening with the Certificates?

The certificates Secure Boot uses to verify digital signatures were issued by Microsoft in 2011, when this technology launched with Windows 8. Like any digital certificate, they have an expiration date.

Key dates:

  • June 2026: The Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 expire.
  • October 2026: The Microsoft Windows Production PCA 2011 expires — this signs the Windows boot loader itself.

Microsoft has already prepared replacements: a new family of 2023 certificates that replaces the old ones. However, these new certificates need to be installed on each system before the old ones expire.

What Happens If You Don't Update?

Your computer won't stop booting on June 27, 2026. But it will enter what Microsoft calls a "degraded security state." In practical terms, this means:

  • It won't receive boot security updates. Future patches for boot process vulnerabilities won't install.
  • It's exposed to bootkit attacks. Threats like BlackLotus, the first bootkit capable of bypassing Secure Boot on fully patched systems, demonstrated how dangerous it is to fall behind on this protection.
  • Third-party components may stop working. Drivers for network cards, GPUs, and other components signed with the new certificates may not be recognized.
  • BitLocker and other encryption protections may be affected. Mitigations that depend on Secure Boot will stop updating.

The system keeps working, yes — but every day without updated certificates is another day of exposure.

Which Systems Are Affected?

Virtually any Windows computer manufactured since 2012 with Secure Boot enabled. This includes:

  • Laptops and desktops with Windows 10 and Windows 11
  • Servers running Windows Server
  • Virtual machines with Secure Boot enabled

The good news: many systems manufactured since 2024 already ship with the new certificates. The problem lies with older systems that have been running without updates for years — exactly the type of equipment most Mexican SMEs rely on.

How to Check If Your Systems Need Updating

There are several ways to verify:

From PowerShell (as administrator):

Confirm-SecureBootUEFI

If it returns True, Secure Boot is enabled and your systems need the certificate update.

From the Windows registry:

Look for the UEFICA2023Status key at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot

If the value is "updated," your system already has the new certificates. If it doesn't exist or says something else, it needs updating.

However, if you have more than 5 systems, the most practical approach is to have a professional check the status of all your computers centrally and apply the necessary updates.

What Needs to Be Done?

The update process involves several steps that must be performed in order:

  1. Update the firmware (BIOS/UEFI) to the latest version from the manufacturer (Dell, HP, Lenovo, etc.). Some manufacturers already include the new certificates in their firmware updates.
  2. Allow Windows Update to install the new certificates. Microsoft is distributing the 2023 certificates through Windows Update, but in some cases company policies or system configuration may be blocking this update.
  3. Verify the certificates installed correctly. After updating, confirm that both the KEK and DB of Secure Boot have the 2023 certificates.
  4. Do not disable Secure Boot. Microsoft explicitly warns that disabling Secure Boot is not a solution — on the contrary, it removes all boot malware protection.

What If My Systems Are Very Old?

This is where it gets complicated. Systems older than 8–10 years may not receive firmware updates from the manufacturer. In those cases:

  • The system will keep working but without updated boot protection.
  • There's no way to install the new certificates if the firmware doesn't support them.
  • It may be time to evaluate replacing those systems — not just for the certificates, but for security in general.

How Can SIINCO Help?

At SIINCO, we can review the Secure Boot status of all your company's systems, apply the necessary updates, and ensure your infrastructure is protected before June 2026.

What we do:

  • Diagnose the Secure Boot and certificate status across all your systems.
  • Update BIOS/UEFI firmware per manufacturer.
  • Install and verify the 2023 certificates.
  • Deliver a report with each system's status and recommendations.
  • Identify systems that can't be updated and replacement options.

If you have a maintenance policy with us, this review is included. If not, we can perform it as a standalone service.

Want to schedule a review of your systems? Contact us and we'll get back to you the same day.

References

  1. Microsoft. "Secure Boot playbook for certificates expiring in 2026." Windows IT Pro Blog, March 24, 2026.
  2. Microsoft. "Act now: Secure Boot certificates expire in June 2026." Windows IT Pro Blog, January 14, 2026.
  3. Microsoft Support. "Windows Secure Boot certificate expiration and CA updates."
  4. Microsoft Support. "When Secure Boot certificates expire on Windows devices."
  5. Richard M. Hicks. "Windows Secure Boot UEFI Certificates Expiring June 2026." Richard M. Hicks Consulting, December 4, 2025.
  6. Dell. "Secure Boot Transition FAQ." Dell Support, March 2026.
  7. XDA Developers. "Microsoft's Secure Boot certificates expire in June 2026, but older PCs may never get the fix." March 2026.
  8. Red Hat. "Secure Boot certificate changes in 2026: Guidance for RHEL environments." Red Hat Developer, February 4, 2026.

Have questions? Write to us

Contact us on WhatsApp →
Message us on WhatsApp