Full Report
Microsoft has begun rolling out updated Secure Boot certificates through monthly Windows updates to replace the original 2011 certificates that will expire in late June 2026. [...]
Analysis Summary
# Vulnerability: Secure Boot Certificate Expiration and Update Requirement
## CVE Details
- CVE ID: N/A (This is a proactive maintenance and lifecycle event, not a conventional security vulnerability requiring a CVE at this stage.)
- CVSS Score: N/A
- CWE: N/A (Lifecycle Management Issue)
## Affected Systems
- Products: UEFI Firmware on eligible Windows devices.
- Versions: Devices using the original 2011 Secure Boot certificates. In-support Windows 11 24H2 and 25H2 systems are primary recipients of the update rollout.
- Configurations: Devices running unsupported Windows versions (Windows 10 and older, excluding ESU) will not receive the new certificates automatically. Devices requiring firmware updates from OEMs before the certificate can be applied successfully.
## Vulnerability Description
The original Secure Boot certificates deployed in 2011 are scheduled to expire in late June 2026. Secure Boot relies on these trusted digital certificates within the UEFI firmware to verify the authenticity of the bootloader and prevent the execution of malicious software like rootkits during startup. If devices operating systems are not updated with the new certificates, they will enter a "degraded security state" post-expiration, losing limited boot-level protections, including the ability to apply mitigations for newly discovered vulnerabilities.
## Exploitation
- Status: Not applicable (This is a configuration/lifecycle issue leading to reduced future security posture, not an active exploit vulnerability described).
- Complexity: Not applicable
- Attack Vector: N/A
## Impact
- Confidentiality: Potential degradation of future protection against boot-level compromise if not updated.
- Integrity: Potential degradation of future protection against boot-level compromise if not updated.
- Availability: No immediate loss of availability, but degraded security state post-June 2026.
## Remediation
### Patches
Microsoft is rolling out new Secure Boot certificates through regular monthly Windows updates for in-support Windows devices, managed by Microsoft or managed by organizations using preferred tools.
- **Microsoft-Managed Updates:** Automatic application via standard Windows Updates on eligible, high-confidence devices.
- **IT-Managed Updates:** Deployable via registry keys, Group Policy settings, and Windows Configuration System (WinCS).
- **OEM/Firmware Updates:** Customers must verify OEM support pages, as some devices require corresponding firmware updates before the new certificates can be successfully applied.
### Workarounds
- **For IT Admins:** Organizations can proactively deploy the certificate updates themselves using Group Policy or configuration management tools.
- **For All Users:** Ensure the operating system is running a supported version (e.g., Windows 11) to receive the necessary updates.
## Detection
- **Indicators of Compromise:** N/A (Not exploitation-related).
- **Detection methods and tools:** Monitoring for successful application of the certificate updates through Windows Update logs or configuration management reporting. Microsoft advises checking OEM support pages for necessary firmware prerequisites.
## References
- [Microsoft Secure Boot Certificate Expiration Guidance (Referenced via Tech Community alert)](hXXps://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235)
- [Windows Experience Blog on Certificate Refresh](hXXps://blogs.windows.com/windowsexperience/?p=180181)
- [Microsoft Support Documentation on Registry Key Updates](hXXps://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d)