Microsoft warns of a critical issue: Secure Boot certificates issued in 2011 will expire in June 2026. Without updates, millions of Windows 10 and Windows 11 devices will remain vulnerable to bootkit attacks. Learn how to prepare for these changes and protect your system.
G. Ostrov
Microsoft has issued an important warning to users and organizations: Secure Boot mechanism certificates issued in 2011 will expire in June 2026. This situation could seriously impact the security of millions of devices worldwide.
What is Secure Boot and Why It Matters
Secure Boot is a critically important security mechanism introduced by Microsoft in 2012 alongside Windows 8. Its primary function is to ensure that a computer uses only verified firmware and trusted bootloaders when starting the operating system.
Without Secure Boot, it's impossible to officially install Windows 11, as it's one of the system's mandatory requirements. The mechanism protects the computer at the earliest boot stage, preventing malicious code from running before the operating system loads.
Scale of the Problem
Certificate expiration will affect a wide range of devices:
- Physical and virtual machines running Windows 10
- Devices running Windows 11
- Windows Server 2025, 2022, 2019, 2016, 2012, and 2012 R2 servers
The only exception is Copilot+ PCs released in 2025 ā they already come equipped with current certificates.
Security Threats
Without updated certificates, Windows boot manager and Secure Boot components won't be able to receive critical security fixes. This creates a serious vulnerability for bootkit attacks, such as BlackLotus.
Bootkits are particularly dangerous because they:
- Launch before the operating system loads
- Are extremely difficult to detect with standard antivirus software
- Gain complete system control from the very beginning of boot
Microsoft's Recommendations
The company strongly recommends that users and organizations:
- Update to 2023 certificates: New certificates will be available through monthly cumulative updates
- Register Windows 10 devices: In the Extended Security Updates program (free for regular consumers)
- Prepare for updates: Ensure devices are connected to the internet to receive updates
Special Cases
For devices that are physically isolated from the internet and local networks, Microsoft offers limited support. Owners of such systems should contact the company's support service for individual recommendations.
Microsoft also promises to provide necessary certificates for Linux systems that support dual boot with Windows.
How to Check Secure Boot Status
To find out if secure boot is enabled in your system:
- Press Win + R
- Enter the command
msinfo32 - Find the "Secure Boot State" item
Connection to Recent Vulnerabilities
The certificate expiration problem becomes particularly relevant against the backdrop of recently discovered vulnerabilities in the Secure Boot mechanism. Researchers identified a critical issue (CVE-2025-3052) that allowed attackers to disable protection and run malicious code before the operating system loads.
Conclusion
Secure Boot certificate expiration is a serious problem that requires attention from all Windows users. Timely certificate updates will help maintain a high level of system security and protect devices from modern threats.
More details about the problem can be found in the original article on Habr.
If you have any problems, contact us, we will help quickly and efficiently!