Windows' boot security certificates have been in place since 2011.
That process relies on certificates embedded in device firmware. Those certificates were issued by Microsoft in 2011. The first of them expires on 24 June 2026, with further expirations through October.
What Microsoft has said - Windows Secure Boot Certificate Expiry 2026
Microsoft has described this as one of the largest co-ordinated security maintenance efforts in the platform's history. Devices will continue to boot normally after expiry - but every device still running 2011 certificates enters a formally defined "degraded security state" from which it cannot receive future boot-level security fixes.
24 June 2026 - Windows Secure Boot Certificate Expiry 2026 Deadline
Secure Boot works by verifying digital signatures against certificates stored in the device's UEFI firmware. If software loading at startup hasn't been signed by a trusted authority, the system blocks it. Threats operating at this layer - known as bootkits - run before antivirus, before Windows Defender, before any protection inside the operating system has started.
The BlackLotus UEFI bootkit (CVE-2023-24932) demonstrated what this exposure looks like in practice. Once loaded, BlackLotus could disable BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender - before the operating system had finished starting. Standard endpoint security was entirely blind to it.
Degradation is silent
When 2011 certificates expire without being replaced, the device loses the mechanism to receive new boot-level protections. It doesn't fail - it freezes at its current security posture. No alerts, no visible failures - until an attacker uses the gap.
The most important operational point: this update cannot be completed from the Windows side alone. Every device needs two things, applied in the correct order:
UEFICA2023Status registry key or the Secure Boot status report in Windows Autopatch. Status must show "updated" - not just "in progress".BitLocker encryption is more widespread in Australian business environments than many IT teams have mapped. Windows 11 version 24H2 introduced automatic device encryption on fresh installations and factory resets - meaning devices may be encrypted without any deliberate configuration decision having been made.
Critical risk - permanent data loss
BitLocker binds its encryption keys to measurements in the device's Trusted Platform Module (TPM). When firmware is updated, those measurements change. BitLocker may interpret this as a security event and lock the device, requiring a 48-digit recovery key.
If the recovery key has not been stored somewhere accessible before the firmware update, the device is locked and the data is permanently unrecoverable. There is no backdoor. Microsoft support cannot bypass it.
For Australian organisations aligning to the ACSC Essential Eight, the Secure Boot certificate update sits within the patch operating systems mitigation strategy. Devices in a degraded security state - permanently unable to receive boot-level security fixes - are not meeting the intent of a current patching posture, regardless of how current their standard Windows patches remain.
An environment where Secure Boot certificates have been allowed to expire has quietly removed that protection without any visible failure. The gap accumulates silently - no alerts, no visible failures - with each new boot-level vulnerability for which the device cannot receive a mitigation.
Answer a few questions about your environment to get a personalised risk assessment - including separate endpoint and server scores - plus a prioritised action list.
Which of the following already apply to your environment?
No - devices continue to boot and function normally after 24 June 2026. They enter a "degraded security state" and can no longer receive boot-level security fixes - but there is no immediate failure event.
No. The Windows certificate update and the OEM firmware update are two separate things. The Windows update delivers the new 2023 certificates, but those certificates need a firmware update from your device manufacturer to be correctly installed and trusted. Check the UEFICA2023Status registry key to confirm both have applied.
BitLocker binds its encryption keys to measurements in the device’s Trusted Platform Module (TPM). When firmware is updated, those measurements change - BitLocker may interpret this as a security event and lock the device, requiring a 48-digit recovery key. If that key has not been stored somewhere accessible before the firmware update, the data is permanently unrecoverable. There is no backdoor and Microsoft support cannot bypass it. For full details, see Microsoft’s BitLocker recovery process documentation.
Devices manufactured since 2024, and almost all devices shipped during 2025 (including Copilot+ PCs), have the new 2023 certificates pre-installed and require no action. For hardware from 2023 or earlier, both the Windows update and the firmware update are required.
Windows 10 reached end of support in October 2025. Devices on Windows 10 version 22H2 can still receive the Secure Boot certificate update - but only if enrolled in Microsoft's paid Extended Security Updates (ESU) programme. Devices on older Windows 10 versions, or on 22H2 without ESU, will not receive the update and represent a separate remediation decision.
Check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\UEFICA2023Status. It shows "not started", "in progress", or "updated". For managed environments, the Secure Boot status report in Windows Autopatch provides fleet-wide visibility. Windows System Event Log Event ID 1808 also confirms successful certificate application.
Yes. Windows Server 2025, 2022, 2019, 2016, 2012, and 2012 R2 are all affected. Microsoft has published a dedicated Windows Server Secure Boot Playbook for the 2026 certificate update. The remediation steps are the same - OEM firmware first, then Windows certificate update, with BitLocker recovery key confirmation before firmware changes.
Organisations that approach this as a co-ordinated project - with proper inventory, sequencing, and verification - complete it without incident. Those that treat it as a background update task encounter the edge cases at the worst time: the device with BitLocker and no accessible recovery key, the older hardware requiring a manual firmware process, the server that fell outside the standard update group.
The deadline is fixed. 24 June 2026 for the first certificate expiry, October 2026 for the next set. The tools for tracking compliance exist now. The remaining variable is whether the update is treated as a deliberate project or left to chance.
Expert Care clients
Managed devices in the Standard Operating Environment are being addressed through our standard planned update cycle. We will report and act on any devices where updates have not applied as expected. If your environment includes devices outside managed coverage - or if BitLocker recovery key status across your fleet hasn't been confirmed - this is worth reviewing before the June window closes.
Intellect IT can audit your device fleet, confirm firmware and certificate update status, and verify BitLocker recovery key coverage - before the June deadline.
Talk to our team
Wondering why IT pricing in Melbourne keeps changing? Get clear, director‑led advice from Intellect IT on quotes, lead times and smarter IT budgeting.
Business Continuity Plan Melbourne: Learn the critical difference between BCP & DR and how Intellect IT’s director-led services secure your business resilience
Business Continuity Plan Melbourne: Learn the critical difference between BCP & DR and how Intellect IT’s director-led services secure your business resilience
