Microsoft has begun a gradual rollout of updated Secure Boot certificates for Windows 11 systems running versions 24H2 and 25H2. The change is designed to address expiring security keys, but PC builders must verify their system’s readiness before the June 2026 deadline.
Secure Boot relies on a set of digital signatures stored in UEFI/BIOS firmware. Without an update, systems could fail to validate new boot loaders or receive critical security patches after mid-year. Microsoft states that devices manufactured before 2024 are most affected, while newer models already include the latest certificates.
Key details
- Update availability: The Secure Boot Allowed Key Exchange Key (KEK) Update is distributed via Windows Update but may not be visible immediately due to a phased rollout schedule.
- Affected systems: Only those with Secure Boot enabled—verified through msinfo32—and running 24H2 or 25H2 builds. Pre-2024 hardware is at higher risk of issues after June 2026.
- Verification steps: Users can check certificate status using PowerShell commands, such as [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes), or inspect the Windows Registry under HKEY_LOCAL_MACHINE\\[...]. A value of 0 for WindowsUEFICA2023Capable indicates missing certificates.
The update requires installing a series of quality updates and enabling diagnostic data reporting to Microsoft. Without these, automatic certificate replacement may not occur. IT administrators should prioritize this now to avoid disruptions in system maintainability or security.
Why it matters
Secure Boot is a foundational security layer that prevents unauthorized software from executing during startup. If certificates expire without replacement, Windows devices could lose trust in new boot components, creating vulnerabilities. Microsoft’s guidance emphasizes that proactive updates are essential to maintain both security and compatibility with future patches.
That’s the upside—here’s the catch: The phased rollout means some builders may not see the update immediately, even if their system qualifies. Additionally, older hardware built before 2024 is more likely to encounter issues unless manual intervention occurs. Enabling diagnostic data can streamline the process but requires user action.
What to watch next
PC builders should monitor Windows Update for the Secure Boot KEK update and verify their system’s status using PowerShell or Registry checks. If your device was manufactured in 2024 or later, it likely already includes the latest certificates. For pre-2024 systems with Secure Boot active, installing quality updates and enabling diagnostics now can prevent future disruptions.
Most affected users will be those running older hardware with Secure Boot enabled, particularly in enterprise environments where certificate management is critical. Smaller builds or hobbyist setups may see fewer immediate impacts but should still verify their status to avoid long-term compatibility risks.
