Back
Technology

Microsoft Initiates Secure Boot Certificate Refresh, Deprecating Older Versions from 2026

Generated on: Last updated: 2 sources
View source

Microsoft Refreshes Secure Boot Certificates, Phased Deprecation Set for 2026

Microsoft has announced a refresh of its Secure Boot certificates for Windows systems, transitioning from older 2011 keys to the new Windows UEFI CA 2023 authority. This update is designed to enhance the security of the PC startup process by ensuring only trusted firmware and components load before the operating system. The deprecation of the older certificates is scheduled to commence in June 2026 and continue through October 2026.

Overview of Secure Boot Certificates

Secure Boot is a standard platform integrated into the firmware (Unified Extensible Firmware Interface, UEFI) of modern Windows systems, typically enabled by default. It utilizes four distinct certificates to verify that a system's initial boot processes, involving software loading before Windows starts, have not been tampered with. A certificate mismatch indicates a potential for unverified code loading but does not confirm malicious activity.

The purpose of this certificate refresh is to prevent potential security issues by utilizing updated counterparts.

Deprecation Timeline and Affected Systems

The deprecation of the 2011 Secure Boot certificates will begin in June 2026 and conclude by October 2026. This initiative primarily affects Windows 10 version 1607 and later, as well as all versions of Windows 11. For Windows 10 systems to receive these certificate updates, enrollment in the Extended Security Updates (ESU) program is required.

The Certificate Refresh Process

The refresh involves two main stages due to the deep integration of Secure Boot keys at the firmware level across the PC ecosystem, including OEM firmware and motherboards:

  1. The new Secure Boot certificate becomes available to the Windows operating system.
  2. That certificate is subsequently applied to the system firmware.

Many systems may temporarily remain in the first stage, as Microsoft collects telemetry and reliability data before pushing firmware-level changes. Windows can download and stage these new certificates within the operating system before they are adopted by the firmware. Updates began rolling out in 2024.

Understanding Event Viewer Messages

Users may observe new TPM-WMI logs in Event Viewer, specifically Event ID 1801, with messages such as "BucketConfidenceLevel: Under Observation – More Data Needed." These messages, particularly after installing updates like the February 2026 Patch Tuesday update (KB5077181), are not indicators of system errors or failures.

These messages represent status checks during the phased rollout of the certificate refresh, indicating that Microsoft is gathering data.

It is possible for an OS-level update to precede the firmware application, leading to a discrepancy between various status checks.

User Actions and Verification

Most users are unlikely to need to take specific action, as Windows systems typically update certificates automatically when Secure Boot is enabled. Automated updates are planned to continue throughout the year.

However, certain users should ensure their systems are updated:

  • Users who have modified update frequencies.
  • Users who have disabled Secure Boot.
  • Systems that have not been powered on recently should be turned on and updated.

Verification Methods

Users can verify their Secure Boot certificate status through several methods:

Using PowerShell:

  1. Open PowerShell as an administrator.
  2. Run the command:
    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)
  3. A True result indicates the Windows UEFI CA 2023 certificate is present in the Secure Boot database. A False result means the device is awaiting the certificate, which is not an error during this phased rollout.

Using Event Viewer:

  1. Open Event Viewer.
  2. Navigate to Windows Logs > System.
  3. Filter the current log by TPM-WMI (or Microsoft-Windows-TPM-WMI) as the event source.
  4. Look for Event ID 1808, which signifies the successful application of the new Secure Boot certificate, and Event ID 1034, confirming the DBX (revocation list) update.

Users can also check their BIOS date by typing "msinfo32" into the Windows start menu search field; systems with a recent BIOS version are likely current. If certificates remain uncurrent after enabling Secure Boot and running Windows Update, users may need to consult instructions specific to their computer or motherboard, and Microsoft provides resources for some manufacturers.

BIOS Updates and Security Precautions

Users are not generally required to immediately update their BIOS. Microsoft does not directly push firmware changes, as these are controlled by device manufacturers. BIOS updates should only be considered if explicitly instructed by the manufacturer or if the update documentation specifically mentions Secure Boot certificate changes.

Users are advised to avoid manual modifications such as clearing Secure Boot keys or enabling Setup Mode, as incorrect execution of these actions can compromise system security.

Consequences of Non-Compliance

Failure to update Secure Boot certificates will prevent Windows from maintaining current boot-time security features and databases, potentially exposing the system to vulnerabilities. While expired certificates do not inherently prevent code from loading or executing, other software layers installed on the system determine the response to unverified code. Potential responses can range from a notification in Event Viewer to interference with software functionality, such as Windows' BitLocker disk encryption. The specific impact depends on installed software and enabled Windows features. Enterprise-managed laptops, often equipped with multiple security layers, may experience more restrictive responses compared to personal systems.

If Secure Boot is disabled, this deprecation should not affect the system.