Overview
- Microsoft expanded its phased Windows Update rollout so most supported Windows 10 and 11 devices have received the replacement 2023 Secure Boot certificates, a move timed around the June 24, 2026 expiry of the Microsoft Corporation KEK CA 2011.
- Devices that do not receive the new certificates will generally continue to boot normally but will lose the ability to receive future boot‑level revocations and mitigations, producing a gradual degradation of firmware‑level security rather than an immediate outage.
- Some machines remain unresolved: enterprise devices in temporarily paused rollout buckets, older or unsupported hardware, certain virtual machines, and systems with unusual firmware variants may need OEM BIOS updates or manual remediation to get the new keys.
- Microsoft and partners offer diagnostics and fixes — Windows Security status indicators, Intune/Group Policy remediations, PowerShell scripts and OEM firmware updates — while known failure modes such as efivarfs space fragmentation, lost platform keys, and BitLocker interactions may require BIOS resets or vendor support.
- Linux systems face a related deadline because the shim signing key from 2011 expires on September 11, 2026, and many firmwares lack the 2023 shim key so affected machines will need vendor firmware updates or LVFS/fwupd‑driven key updates to keep Secure Boot protections intact.