Windows Secure Boot Certificate Expiry Exposes Billions of PCs to Bootkit and Firmwar

[harlan4096]

Microsoft’s long-planned Secure Boot certificate rollover has reached a critical milestone, impacting more than just routine updates.

The Microsoft Corporation KEK CA 2011 expired on June 24, 2026, the Microsoft UEFI CA 2011 expires on June 27, 2026, and the Microsoft Windows Production PCA 2011 is scheduled to expire on October 19, 2026. This requires organizations to transition firmware trust from the 2011 certificate chain to the 2023 replacements.

This transition is important because Secure Boot is part of the pre-OS trust path, where UEFI firmware validates boot components before loading Windows or Linux. Therefore, certificate expiry becomes a firmware security issue rather than merely an endpoint patching task.

Windows Secure Boot Certificate Expiry Exposes PCs

At the core of the issue is Secure Boot’s layered trust hierarchy. UEFI firmware relies on the Platform Key to authorize the Key Enrollment Key (KEK), which is used to sign updates to the allowed signature database (DB) and the revocation database (DBX), as per reported by CSN.

During startup, the firmware checks whether bootloaders and EFI components are trusted in the DB and not blocked in the DBX before allowing execution. Microsoft has stated that devices that miss the 2023 certificate transition will still boot and run existing software.

However, they will lose access to future Windows Boot Manager protections, updates to Secure Boot DB and DBX, and new mitigations against boot-level threats.

Continue Reading...