A Ticking Clock on Millions of PCs
Microsoft has issued an advisory warning that critical Secure Boot certificates used by Windows PCs are scheduled to expire in June 2026, an event that could potentially prevent affected computers from booting properly if the certificates are not updated before the expiration date. The advisory, published through Microsoft's Security Response Center, details the scope of the issue, identifies which systems are at risk, and provides guidance on how both individual users and enterprise IT administrators can prepare for and address the certificate transition.
Secure Boot is a security feature built into the UEFI firmware of modern PCs that ensures only trusted, digitally signed software can execute during the boot process. When a computer starts up, the firmware checks the digital signature of the bootloader and operating system kernel against a database of trusted certificates stored in the system's firmware. If the signatures do not match a trusted certificate, the system refuses to boot, preventing malware from hijacking the startup process.
What Is Actually Expiring
The certificates at risk are the Microsoft Windows Production PCA certificates that were originally issued in 2011 and have a 15-year validity period. These certificates are part of the chain of trust that validates the digital signatures on Windows bootloaders. When they expire, the firmware's signature verification will fail for bootloaders signed with these certificates, potentially rendering the system unable to load Windows.
The affected certificates are embedded in the UEFI firmware of PCs manufactured between approximately 2012 and 2024. The exact impact depends on several factors, including the firmware version, the manufacturer's implementation of Secure Boot, and whether the system has received firmware updates that include replacement certificates.
Which Systems Are At Risk
The scope of potentially affected systems is substantial:
- Consumer PCs: Any Windows PC manufactured in the affected timeframe that has not received a firmware update containing the new certificates. This includes desktops, laptops, tablets, and convertible devices from all major manufacturers.
- Enterprise systems: Business-class workstations, servers, and point-of-sale systems that use Secure Boot with the expiring certificates. Enterprise environments are particularly vulnerable because firmware updates are often deferred due to compatibility testing requirements.
- Virtual machines: Some virtualization platforms, including Microsoft's own Hyper-V, use Secure Boot certificates that may be affected. Virtual machines running on these platforms could also experience boot failures.
- Custom and embedded systems: Industrial PCs, kiosks, medical devices, and other embedded Windows systems that rarely receive firmware updates and may be running outdated certificate databases.
Microsoft's Remediation Plan
Microsoft has developed a phased remediation plan that involves distributing new certificates through both Windows Update and firmware updates from hardware manufacturers. The plan has three stages.
Phase 1: Certificate Distribution (Now through April 2026)
Microsoft is distributing updated certificates through Windows Update as a preparatory measure. The update installs the new certificates into the system's UEFI Secure Boot database alongside the existing certificates, ensuring that both old and new certificates are trusted during the transition period. This update requires a system restart to take effect and must be applied before the old certificates expire.
Phase 2: Bootloader Re-Signing (April through June 2026)
Microsoft will release new versions of the Windows bootloader signed with the updated certificates. These new bootloaders will be distributed through Windows Update and will replace the existing bootloader files on the system's EFI System Partition. Systems that have already received the new certificates from Phase 1 will boot seamlessly with the new bootloader.
Phase 3: Old Certificate Revocation (After June 2026)
After the transition period, Microsoft plans to revoke the expired certificates through a Secure Boot Forbidden Signature Database update. This step is optional and will be deployed gradually to ensure that all systems have had adequate time to transition. Revoking the old certificates prevents them from being exploited by malware that attempts to use bootloaders signed with the compromised certificates.
What Individual Users Should Do
For individual Windows users, the most important action is to ensure that their system is receiving and installing Windows Updates. The certificate update will be delivered as a critical update and will be installed automatically on systems with default Windows Update settings. Users who have disabled automatic updates or deferred updates should manually check for and install all pending updates before June 2026.
Additionally, users should check with their PC manufacturer for UEFI firmware updates. Many manufacturers are releasing firmware updates that include the new certificates and address other Secure Boot issues. These updates are typically available through the manufacturer's support website or through built-in firmware update utilities.
Steps for Home Users
The following checklist will help individual users prepare for the certificate transition. First, open Windows Update and install all pending updates. Second, visit the PC manufacturer's support website and check for available BIOS or UEFI firmware updates for the specific model. Third, if a firmware update is available, follow the manufacturer's instructions to install it, taking care not to interrupt the process. Fourth, after installing updates, verify that Secure Boot is still enabled by opening the System Information utility and checking the Secure Boot State field. Fifth, create a recovery drive as a precaution in case the boot process is disrupted during the transition.
Enterprise IT Considerations
Enterprise IT administrators face a more complex challenge. Large organizations typically manage thousands of PCs across multiple hardware platforms and firmware versions, making it impractical to manually update each system. Microsoft recommends that enterprise administrators inventory their Secure Boot certificate status across all managed devices, test the certificate and bootloader updates in a staging environment before broad deployment, develop a rollback plan in case the update causes compatibility issues with specific hardware or firmware configurations, and coordinate with hardware vendors to obtain firmware updates for all platforms in the fleet.
Microsoft has published detailed technical documentation and PowerShell scripts that administrators can use to query the Secure Boot certificate status of managed devices and identify systems that require attention. The company is also offering direct support through Premier and Unified support contracts for enterprises that need assistance with the transition.
The Broader Security Lesson
The Secure Boot certificate expiration serves as a reminder that even foundational security mechanisms have finite lifespans and require ongoing maintenance. The original 15-year certificate validity period seemed generous when these certificates were issued in 2011, but the longevity of modern hardware means that many systems outlive the security credentials they were built with. As the technology industry moves toward longer hardware lifecycles driven by sustainability goals, the management of security certificate lifespans will become an increasingly important consideration for both manufacturers and users.
