Microsoft's Secure Boot Reckoning:

Windows 11 gets Secure Boot Allowed Key Exchange Key (KEK) update on more PCs, requires a reboot to install

PC MAGAZINE

Security & Enterprise  |  Analysis & News

Security Alert March 10, 2026

What the 2026 Certificate Expiration Means for Every Windows PC

A 15-year-old trust anchor is expiring this June, and Windows is racing to push replacement certificates to millions of devices before the clock runs out—leaving Windows 10 users, older PCs, and unmanaged endpoints exposed if the rollout stalls.

By PC Magazine Security Staff Updated: March 10, 2026 Related: Windows 11  |  Cybersecurity  |  Enterprise IT

▶ Bottom Line Up Front

Microsoft's original Secure Boot certificates—issued in 2011 and embedded in the firmware of virtually every Windows PC sold over the past 14 years—begin expiring in June 2026. Your computer will not stop booting, but it will lose the ability to receive new security protections for the pre-OS boot environment, including mitigations for active threats like the BlackLotus UEFI bootkit (CVE-2023-24932). Microsoft is pushing replacement 2023 certificates via Windows Update in a phased rollout that accelerated with the March 2026 Patch Tuesday cycle. Most Windows 11 users on supported hardware who allow Microsoft-managed updates need to do nothing. The at-risk groups are large and real: Windows 10 users who did not enroll in Extended Security Updates (ESU) before the October 2025 end-of-support date, owners of older PCs whose OEMs are not providing firmware updates, and enterprise environments managing IT-controlled or air-gapped systems. Action is required now, not in June.

If you opened Windows Update recently and found a pending item labeled "Secure Boot Allowed Key Exchange Key (KEK) Update," you have just received a front-row seat to one of the most consequential under-the-hood security overhauls in Windows history. The update is small—it downloads in under two minutes and installs with a single reboot—but it represents the tip of an enormous iceberg: the scheduled retirement of the cryptographic trust anchors that have protected the Windows boot process since the era of Windows 8.

The certificates in question are not obscure. They are baked into the UEFI firmware of nearly every PC manufactured between 2012 and 2023. Three of them are on the clock: the Microsoft Corporation KEK CA 2011 and the Microsoft UEFI CA 2011, both expiring in June 2026, followed by the Microsoft Windows Production PCA 2011—which signs Windows' own bootloader—expiring in October 2026.

What Secure Boot Actually Does, and Why Certificates Matter

Secure Boot is a feature of UEFI firmware that validates every piece of software that runs during system startup. Before the Windows kernel ever loads, your PC's firmware checks digital signatures on the bootloader, boot manager, and key drivers against a database of trusted certificate authorities (CAs) stored in the chip itself. Trusted signatures run; untrusted signatures are blocked. It is the closest thing a modern PC has to a cryptographic gatekeeper standing at the door before the operating system is even conscious.

Like a website's TLS certificate, Secure Boot certificates carry expiration dates by design. Periodic renewal is a standard cryptographic hygiene practice—a way to ensure that aging algorithms and key material do not become a liability. The 2011 certificates have served their purpose across more than a decade of continuous operation, but their time is now ending on a hard deadline that does not care about deployment complexity.

When these CAs expire, firmware can no longer use them to validate new updates. Devices that have not received replacement certificates will enter what Microsoft officially describes as a "degraded security state." They will still boot. Standard Windows cumulative updates will still install. But they will be unable to receive new security protections for the early boot process—including updates to the Secure Boot revocation databases, new Boot Manager versions, or mitigations for newly discovered bootkit vulnerabilities.

"After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle and begin expiring in late June 2026. This represents one of the largest coordinated security maintenance efforts across the Windows ecosystem."

— Nuno Costa, Windows Servicing and Delivery Partner Director, Microsoft (February 2026)

The BlackLotus Connection: Why This Is Not Just a Compliance Checkbox

To understand why this update matters beyond abstract certificate hygiene, you need to understand BlackLotus. Discovered in early 2023 by ESET researchers and confirmed in the wild, BlackLotus was the first UEFI bootkit publicly shown to bypass Secure Boot on fully updated Windows 11 systems. It exploited CVE-2022-21894 (nicknamed "Baton Drop"), a vulnerability patched by Microsoft in January 2022—but whose affected signed binaries were never added to the UEFI revocation list, leaving a window for exploitation long after the patch shipped.

Once installed, BlackLotus achieved persistence at the firmware level and could disable BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender Antivirus—all before Windows loaded. A follow-on vulnerability, CVE-2023-24932, was disclosed in May 2023 as part of Microsoft's remediation effort. The U.S. National Security Agency issued its own BlackLotus Mitigation Guide (U/OO/167397-23, June 2023), explicitly calling on DoD network administrators to take action, and the Cybersecurity and Infrastructure Security Agency (CISA) issued parallel advisories.

Microsoft has stated directly that the new 2023 Secure Boot certificates are the definitive security measure to address the class of vulnerability that BlackLotus exploited. Without the certificate update and associated revocations now being pushed via Windows Update, a device retains no mechanism to block downgrade attacks that swap modern, secure boot managers for older, vulnerable versions that Secure Boot still trusts. Every day after June 2026 without updated certificates is a day with a narrowing ability to close those gaps.

⚠ Security Context: Active Exploitation

BlackLotus (CVE-2022-21894 / CVE-2023-24932) is a real-world, commercially available UEFI bootkit sold on criminal forums. It requires either administrator privileges or physical access—it is not a drive-by exploit—but once deployed it can survive OS reinstallation and is invisible to traditional antivirus tools. The Secure Boot certificate update and accompanying revocations are the primary mechanism to block downgrade attacks that enable it.

What the 2023 Certificates Change—and Why the Restructuring Matters

The replacement is not a simple one-for-one swap. Microsoft has taken the opportunity to restructure the certificate architecture itself, separating responsibilities that were previously bundled under a single CA. The original Microsoft Corporation UEFI CA 2011 signed everything: third-party bootloaders, option ROMs for graphics and network cards, and various firmware components. The new structure divides this into three distinct certificates:

The Microsoft Corporation KEK 2K CA 2023 replaces the Key Exchange Key, which authorizes updates to the DB (allowed signatures) and DBX (revocation list). The Windows UEFI CA 2023 handles Windows boot loader components specifically. A separate Microsoft Option ROM UEFI CA 2023 handles third-party option ROMs and add-in card firmware. This separation allows for finer-grained trust control—a system that does not need to trust option ROMs can add the Windows CA without broadening trust to all third-party hardware firmware.

The restructuring has practical implications for dual-boot systems and Linux users. Linux distributions that rely on Microsoft-signed shim binaries may need updated shims rebuilt for the new CA. Microsoft has noted that Windows will update certificates that dual-boot Linux systems rely on, but the timing and compatibility of specific Linux distribution shims are the responsibility of those projects.

The Rollout: Who Gets What, When

Microsoft is using a Controlled Feature Rollout (CFR) approach, the same phased delivery mechanism used for major Windows feature updates. Devices on Microsoft-managed updates that meet readiness criteria—including having the correct OEM firmware in place and returning diagnostic telemetry—receive the update as part of monthly cumulative updates. The March 2026 Patch Tuesday cycle notably expanded the rollout to more devices.

For IT-managed environments, enterprises can accelerate the process using Group Policy (navigating to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and enabling the "Secure Boot certificate deployment" policy), registry keys (setting the AvailableUpdates DWORD to 0x5944), Microsoft Intune, or the new Windows Configuration System (WinCS) command-line tools available on Windows 11 versions 23H2, 24H2, and 25H2.

A critical prerequisite that administrators must not overlook: OEM firmware updates must be applied before the Windows certificate update lands. The firmware layer is the foundation. Without it, certificate update attempts on some devices can fail or, in edge cases, cause boot problems. Microsoft has been coordinating closely with major OEMs including Dell, HP, and Lenovo, and all three have published platform-specific guidance and firmware updates for supported hardware lines.

Windows Server is a distinct case. Unlike Windows PCs, Server instances do not receive the 2023 certificates through the automatic CFR pathway. IT administrators managing Windows Server 2022, 2019, 2016, and 2012/R2 must manually initiate the update. Windows Server 2025, certified server platforms, and most hardware built in 2024 and 2025 already include the 2023 certificates in firmware. Microsoft hosted Secure Boot Ask Microsoft Anything (AMA) sessions in December 2025 and February 2026 for enterprise administrators, with another session on March 12, 2026.

"HP is working closely with Microsoft to ensure firmware updates are available so that all supported HP PCs running Windows 11 can adopt the new Secure Boot certificates before legacy certificates expire."

— HP Statement, Microsoft Windows Experience Blog, February 2026

The High-Risk Groups: Who Is Most Exposed

User Group	Risk Level	Primary Issue	Recommended Action
Windows 11 (managed updates, modern hardware)	Low	None expected; update arrives automatically	Verify via PowerShell (see below)
Windows 10 with ESU enrollment	Low–Med	Certificates delivered via Windows Update through Oct 2026	Confirm ESU enrollment; apply OEM firmware updates
Windows 10 without ESU (end-of-support Oct 2025)	High	No Windows Update = no automatic certificate delivery	Enroll in ESU or upgrade to Windows 11; manual cert deployment possible
Older PCs (pre-2024) with no OEM firmware update	High	OEM may not provide BIOS/UEFI update; certificate update may fail	Check OEM support page; if no update available, assess hardware replacement
Enterprise / IT-managed systems	Medium	Not all devices on automatic rollout; servers require manual action	Deploy via Group Policy / Intune; manually update Windows Server
Air-gapped / offline systems	High	Microsoft cannot manage these remotely	Manual certificate deployment required; follow Microsoft's offline guidance
Linux / dual-boot systems	Medium	Shim binaries may require distribution-level updates	Check distribution guidance; test in non-production before June 2026
Virtual machines (Hyper-V, cloud)	Medium	Both host and guest VMs may need separate certificate updates	Update both layers; consult Azure 2603 release guidance for cloud VMs

The Windows 10 Problem Is Large and Real

Microsoft's Windows 10 mainstream support ended on October 14, 2025. Devices running Windows 10 without Extended Security Update (ESU) enrollment receive no further Windows Updates of any kind—which means they receive no automatic Secure Boot certificate delivery. The problem is structural: Windows 10 powered an estimated majority of the Windows installed base at end-of-life, and many of those machines cannot run Windows 11 due to the TPM 2.0 hardware requirement.

A commercial ESU license for Windows 10 version 22H2 costs $30 per device and covers security updates through October 13, 2026. Consumer ESU is also available for free to Microsoft account holders via Windows Backup enrollment, or through redemption of Microsoft Rewards points. European Economic Area customers qualify for free consumer ESU automatically. For devices that can run Windows 11, upgrading is the cleanest path. For devices that cannot—a population running into the tens of millions globally—the combination of expired OS support and expiring Secure Boot certificates represents a compounding security liability.

There is an additional problem that no Microsoft update can fully solve: hardware abandonment. Major OEMs including HP, Dell, and Lenovo have committed to providing firmware updates for currently supported hardware lines, but enterprise IT managers have already reported cases where OEMs are refusing to provide BIOS updates for devices outside their support lifecycle—even hardware that is otherwise fully functional. Without an OEM firmware update that prepares the UEFI environment, Windows cannot safely apply the new certificates. As one IT manager noted in the Microsoft Tech Community forums: "Many OEMs are not covering BIOS updates for devices fully compatible with Windows 11 older than five to six years old for this change."

How to Verify Your Status Right Now

You do not need to wait for an update notification to check whether your PC has already received the new certificates. Microsoft provides two verification methods.

🔑 Verification Method 1 — PowerShell (Quick Check)

Open PowerShell as Administrator and run:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

A result of True confirms the Windows UEFI CA 2023 certificate is present in the Secure Boot DB. A result of False means it has not yet been applied to your system.

Note: Presence of the certificate in the DB does not necessarily mean the full rollout is complete. The KEK and boot manager must also be updated.

📄 Verification Method 2 — Event Viewer (Full Confirmation)

Open Event Viewer and navigate to Windows Logs > System. Use "Filter Current Log" and select source TPM-WMI (or Microsoft-Windows-TPM-WMI). Look for:

Event ID 1808 — "This device has updated Secure Boot CA/keys." This confirms that all needed certificates have been applied to firmware and the boot manager has been updated.

Event ID 1043 — "Secure Boot KEK update applied successfully." Confirms the KEK specifically.

Event ID 1801 — Indicates that some or all updated certificates and the 2023-signed boot manager have not yet been applied.

What Happens After June 2026 if You Miss the Update

Microsoft has been clear and consistent on one point: missing this deadline does not brick your machine. It will still boot. Standard monthly Windows security updates will still install. But the inability to update boot-level protections becomes a compounding problem over time. Newly discovered bootkit vulnerabilities will have no available mitigation path. New signed software using only the 2023 certificates will be untrusted by firmware that still only carries the 2011 certificates—potentially affecting third-party bootloaders and option ROMs as vendors begin signing exclusively with the new CA. And the revocation mechanisms that allow Microsoft to block compromised binary signatures from running during boot will cease to function.

Security researchers and Microsoft alike describe this as entering an increasingly degraded security posture, not an immediate catastrophe. But the analogy to an unpatched system is apt: every day without the fix is a day the attack surface is larger than it needs to be, against adversaries who are aware of the gap.

The Bottom Line for PC Magazine Readers

For most home Windows 11 users who allow Microsoft to manage their updates: this is already being handled on your behalf. Install the "Secure Boot Allowed Key Exchange Key (KEK) Update" when it appears in Windows Update—or verify it has already been applied using the PowerShell command above. A single reboot is all that is required; no BIOS changes, no visible performance impact.

For Windows 10 users: check your ESU enrollment status today. The $30 per-device commercial option or free consumer ESU through your Microsoft account is worth every cent to maintain both OS security patches and Secure Boot certificate delivery through October 2026. After that, hardware replacement or Windows 11 upgrade is the only supported path.

For IT administrators: do not assume Windows Update alone is moving fast enough in your environment. Audit your fleet's Secure Boot status using the registry key UEFICA2023Status, apply OEM firmware updates before the Windows certificate update arrives, manually address all Windows Server instances, and treat June 27, 2026 as a hard deadline, not a suggestion. Microsoft is hosting a dedicated Secure Boot Technical Takeoff session for IT professionals—attendance is worthwhile if you are managing a significant device fleet.

The certificate expiration is not the new Y2K—there is no midnight cliff where machines stop working. But it is a genuine, deadline-driven security maintenance event with real consequences for devices left behind. The rollout infrastructure is in place. The tools exist. The window to act before the deadline is open right now.

Verified Sources & Formal Citations

1. Microsoft Support. Windows Secure Boot certificate expiration and CA updates. Microsoft Corporation, 2026. https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
2. Microsoft Support. When Secure Boot certificates expire on Windows devices. Microsoft Corporation, 2026. https://support.microsoft.com/en-us/topic/when-secure-boot-certificates-expire-on-windows-devices-c83b6afd-a2b6-43c6-938e-57046c80c1c2
3. Microsoft Support. Secure Boot Certificate updates: Guidance for IT professionals and organizations. Microsoft Corporation, 2026. https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f
4. Costa, Nuno. Act now: Secure Boot certificates expire in June 2026. Windows IT Pro Blog, Microsoft Tech Community, January 14, 2026. https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856
5. Microsoft Tech Community. Secure Boot playbook for certificates expiring in 2026. Windows IT Pro Blog, March 2026. https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235
6. Microsoft Windows Experience Blog. Refreshing the root of trust: industry collaboration on Secure Boot certificate updates. February 10, 2026. https://blogs.windows.com/windowsexperience/2026/02/10/refreshing-the-root-of-trust-industry-collaboration-on-secure-boot-certificate-updates/
7. Microsoft Windows Server Blog. Prepare your servers for Secure Boot certificate updates. February 23, 2026. https://www.microsoft.com/en-us/windows-server/blog/2026/02/23/prepare-your-servers-for-secure-boot-certificate-updates/
8. Microsoft Tech Community. Windows Server Secure Boot playbook for certificates expiring in 2026. February 2026. https://techcommunity.microsoft.com/blog/windowsservernewsandbestpractices/windows-server-secure-boot-playbook-for-certificates-expiring-in-2026/4495789
9. Microsoft Windows IT Pro Blog. Revoking vulnerable Windows boot managers. October 7, 2024. https://techcommunity.microsoft.com/blog/windows-itpro-blog/revoking-vulnerable-windows-boot-managers/4121735
10. Microsoft Support. How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 (KB5025885). Microsoft Corporation. https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
11. Microsoft Security Blog. Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. April 11, 2023. https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
12. Microsoft Support. Enterprise Deployment Guidance for CVE-2023-24932. Microsoft Corporation. https://support.microsoft.com/en-us/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967
13. Smolár, Martin. BlackLotus UEFI Bootkit: Myth Confirmed. ESET WeLiveSecurity, March 1, 2023. https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
14. Huntress. CVE-2023-24932 (Secure Boot Bypass) Vulnerability: Analysis, Impact, Mitigation. Huntress Threat Library, 2024. https://www.huntress.com/threat-library/vulnerabilities/cve-2023-24932
15. Binarly Research. The Untold Story of the BlackLotus UEFI Bootkit. Binarly, 2023. https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit
16. The Hacker News. BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11. June 2023. https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html
17. National Security Agency. BlackLotus Mitigation Guide (U/OO/167397-23, PP-23-1628). NSA Cybersecurity, June 2023. https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/1/CSI_BlackLotus_Mitigation_Guide.PDF
18. Fitzpatrick, Andrew. Microsoft's Secure Boot certificates expire in June 2026, but older PCs may never get the fix. XDA Developers, March 6, 2026. https://www.xda-developers.com/microsoft-secure-boot-certificates-expire-june-2026-older-pcs/
19. Gatlan, Sergiu. Microsoft rolls out new Secure Boot certificates before June expiration. BleepingComputer, February 2026. https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-new-secure-boot-certificates-before-june-expiration/
20. iFeeltech. Windows 10 End of Life: Navigating the 2026 Secure Boot Certificate Expirations. February 2026. https://ifeeltech.com/blog/windows-10-eol-secure-boot
21. Parmar, Mayank. Windows 11 gets Secure Boot Allowed Key Exchange Key (KEK) update on more PCs, requires a reboot to install. Windows Latest, March 2026. https://www.windowslatest.com
22. ASUS Global. Windows Secure Boot certificate expiration and certificates updates — FAQ. ASUS Support, 2026. https://www.asus.com/support/faq/1055903/

This article was compiled from Microsoft official documentation, published CVE disclosures, NSA cybersecurity advisories, and multiple independent security research sources. All certificate expiration dates are per Microsoft's published guidance as of March 2026. The June 27, 2026 KEK/UEFI CA expiration date and October 2026 Production PCA expiration date are confirmed in Microsoft Support documentation.