Microsoft is proactively rolling out a mandatory security update to refresh the certificates used by the Windows Secure Boot process. The original database (DB) certificates, which have been part of Windows since 2011, are scheduled to begin expiring in June 2026. To prevent security issues, Microsoft is distributing new 2023-dated certificates via Windows Update. This planned lifecycle event is crucial for maintaining the integrity of the boot process and hardening systems against advanced threats like UEFI bootkits (e.g., BlackLotus). For the vast majority of users with modern hardware, this update will be applied automatically and silently. However, there is a risk that older PCs or systems with outdated firmware may fail to complete the transition, potentially leaving them vulnerable to future boot-level attacks without any clear indication to the user.
This update is not a patch for a specific CVE but a proactive measure to address a future security risk. The primary goals are:
The real-world risk is nuanced and depends on the age and configuration of the PC.
The core risk is the creation of a hidden class of vulnerable devices. Users will believe they are protected by Secure Boot, but their systems will lack the most current trust anchors, effectively degrading their security posture over time.
Windows PC-OEM-Production-2011Windows PC-OEM-Production-2023This is a mandatory, automatic update being rolled out by Microsoft. There is no deployment priority for IT administrators to manage, other than ensuring their fleet of Windows devices are regularly checking in with Windows Update and are not blocked from receiving cumulative updates.
For end-users, no action is required. The update is automatic.
For IT administrators, the key action is verification:
The following indicators could help identify systems that have not been successfully updated:
HKLM\SYSTEM\CurrentControlSet\Control\SecureBootsetupact.log)db, dbx, KEK) to programmatically verify the presence of the new certificate's signature hash.This is a proactive security measure, so the focus is on identifying non-compliant systems rather than active exploitation.
Microsoft initiated widespread deployment of the Secure Boot 2023 certificate update via June 2026 Patch Tuesday (KB5094126) for Windows 10/11, with 2011 certificates expiring June 24.
Microsoft has begun the widespread rollout of the Secure Boot 2023 certificate update for Windows 10 and 11 systems as part of the June 2026 Patch Tuesday, identified as KB5094126. This deployment is critical as the original 2011 Secure Boot certificates are set to begin expiring on June 24, 2026. The broad rollout follows a lengthy, cautious phased testing period, indicating Microsoft's confidence in the update's compatibility and ensuring continued boot-level security against pre-boot malware. Users are advised to ensure their systems receive this automatic update.
Microsoft begins rolling out the Secure Boot certificate refresh with the April 2026 cumulative updates.
The original 2011 Secure Boot certificates are scheduled to begin expiring.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.