Back

Secure Boot Certificate Expiration Threatens Windows Security Posture

Severity: High (Score: 72.0)

Sources: www.stmicro.net, support.microsoft.com, www.dell.com, Notebookcheck

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: boot, june, secure, security, patch, tuesday, microsoft

Severity indicators: ot

Summary

Microsoft's Secure Boot certificates from 2011 are set to expire between June 24-27, 2026, affecting devices that haven't received the 2023 replacement certificates. While devices will continue to boot, they will lose the ability to receive future boot-level security updates, leaving them vulnerable to threats like the BlackLotus bootkit. The June 9 Patch Tuesday is the last chance for organizations to update their systems before the expiration. IT teams are advised to check certificate status using PowerShell commands to ensure compliance. Delays in updating could lead to significant security gaps, especially for enterprise environments. The expiration affects Windows 11 and Windows Server systems, particularly those that did not receive the 2023 certificates during the rollout. The situation is compounded by the recent discovery of CVE-2026-41089, which is actively exploited. Key Points: • Secure Boot certificates from 2011 expire between June 24-27, 2026, risking security. • Devices without updated certificates will lose future boot-level security protections. • June 9 Patch Tuesday is the last chance for updates before the expiration deadline.

Detailed Analysis

**Impact** Windows devices using Secure Boot certificates issued in 2011 will lose the ability to receive boot-level security updates starting June 24, 2026. This affects most Windows Server environments, which require manual updates, and any Windows 10 devices no longer supported since October 2025. Organizations with 30-150 employees are likely to have unpatched machines, increasing exposure to boot-level threats. The operational consequence is a permanent security gap at the firmware level, risking compromise of boot integrity and sensitive data protected by BitLocker and other security features. **Technical Details** The expiring certificates govern Secure Boot verification of pre-OS software, including the Windows Boot Manager and Secure Boot revocation lists. The BlackLotus UEFI bootkit exemplifies threats that bypass Secure Boot, disabling BitLocker, Windows Defender, and Hypervisor-Protected Code Integrity before OS load. CVE-2026-41089 (Netlogon flaw) is actively exploited and patched in May 2026 updates. Devices failing to update certificates lose the ability to receive fixes for boot-chain vulnerabilities, increasing exposure during the boot process kill chain stage. No specific IOCs were provided. **Recommended Response** Apply the June 9, 2026 Patch Tuesday updates immediately to complete the Secure Boot certificate transition before June 24. IT administrators should verify certificate update status using the PowerShell command `Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -Name UEFICA2023Status` and remediate any failures manually. Windows Server environments require phased, tested deployments due to manual update requirements and known BitLocker recovery issues. Unsupported Windows 10 devices should be replaced or isolated as they will not receive updates. Monitor for boot-level anomalies and ensure BitLocker Group Policy configurations are stable.

Source articles (5)

  • June 9 Patch Tuesday incoming as Secure Boot deadline looms — Notebookcheck · 2026-06-04
    Microsoft's June 9 Patch Tuesday is a few days away, and it carries more weight than any routine monthly update. It is the final structured deployment window before the 2011-era Secure Boot certificat…
  • Security analysts — www.stmicro.net · 2026-06-04
    Microsoft's Secure Boot certificates expire on June 24, 2026. Most businesses have no idea this is coming. Three certificates that have governed Windows boot security since 2011 are reaching the end o…
  • Secure Boot revocation — support.microsoft.com · 2026-06-04
  • Microsoft Support/Secure Boot — support.microsoft.com · 2026-06-04
  • Windows Update Kb5025885 Prevents Reinstallation Of Microsoft Windows — www.dell.com · 2026-06-04

Timeline

  • 2026-05-12 — CVE-2026-41089 published: A vulnerability in Netlogon was published, flagged as actively exploited by the Centre for Cybersecurity.
  • 2026-06-01 — First public PoC for CVE-2026-41089: Proof of concept for the Netlogon vulnerability was released, increasing urgency for patching.
  • 2026-06-04 — Security analysts warn of Secure Boot risks: Analysts highlight the expiration of Secure Boot certificates and the need for immediate updates before June 24.
  • 2026-06-09 — June Patch Tuesday scheduled: The June 9 Patch Tuesday is crucial for organizations to update their systems before certificate expiration.
  • 2026-06-24 — Secure Boot certificates expire: The first of the 2011 Secure Boot certificates will expire, impacting unpatched devices' security.

CVEs

  • CVE-2026-41089

Related entities

  • Malware (Attack Type)
  • BlackLotus (Malware)
  • T1059.001 - PowerShell (Mitre Attack)
  • Windows (Platform)
  • Netlogon (Platform)
  • PowerShell (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed