 |
| Microsoft signage stands in front of the corporate campus building |
It is the largest coordinated security refresh in Windows history, and most users will never see it coming.
This June, the original Secure Boot certificates—trusted anchors that have guarded the boot chain since Windows 8 first shipped in 2011—finally retire. Microsoft and every major PC maker have spent the last two years preparing for this moment. New devices shipped since 2024 already carry the “Microsoft Corporation UEFI CA 2023” keys. Managed enterprise fleets have been patched through Windows Update and vendor firmware tools.
But if you built your own gaming rig, bought a motherboard from a third-party etailer, or are stubbornly riding Windows 10 past its 2025 end-of-support date, the expiration in late June 2026 presents a problem that Windows Update cannot fully solve on its own.
According to Microsoft’s official Secure Boot Playbook, the transition requires two separate payloads: a Windows servicing stack update that delivers the new certificates, and—crucially—a firmware trust store that recognizes them. On most consumer pre-builts, the firmware half is handled by OEMs via UEFI capsule updates delivered through Windows. On DIY systems, the handshake often stops at the BIOS screen.
The DIY and Gaming Motherboard Problem: “Install Default Keys”
Asus is one of the few consumer-facing vendors that has published a highly procedural, step-by-step guide for this transition. In its Secure Boot FAQ, Asus describes navigating through UEFI Secure Boot key management and verifying that the Key Exchange Key (KEK) list includes “Microsoft Corporation KEK 2K CA 2023,” and that the database (db) includes “Windows UEFI CA 2023.” It also documents remediation steps such as “Install Default Secure Boot Keys” or “Restore Factory Keys” after updating the BIOS—a process that effectively repopulates the key databases from the firmware’s default store.
This is the gap that tends to hit DIY systems hardest. You can run Windows Update, you can install the KB5036210 servicing stack, and you can even see the certificates in the Microsoft update logs. But if your motherboard firmware is still pointing at the 2011 keyring, the boot chain does not trust the 2023 signatures. Windows will eventually boot—for now—but your machine enters what Microsoft terms a “degraded security state.” It is no longer resistant to future bootkit exploits that assume the old keys are invalid.
Other vendors are slowly populating their knowledge bases with similar language. Lenovo’s guidance advises commercial users to check that BIOS updates applied after May 2024 contain the new db/dbx entries. HP’s documentation lists specific models where the firmware update is mandatory rather than optional. Dell’s FAQ explicitly warns that “systems may not reflect the updated certificates until both the BIOS and Windows OS updates are installed.”
Yet for the enthusiast market, the instruction is rarely pushed through automated firmware pipelines. It remains a manual BIOS deep-dive.
How to Check Readiness Using Microsoft’s Official Signals
For IT-managed fleets—and for hobbyists willing to dig into Event Viewer—Microsoft’s Secure Boot playbook outlines concrete indicators you can monitor right now.
Microsoft says a successful deployment can be confirmed by auditing Windows System Event Log entries for Event ID 1808, which signals that the System Guard Secure Launch firmware has successfully updated its certificates. Failures to apply updated certificates are associated with Event ID 1801. The same playbook also references the UEFICA2023Status registry key, which should ultimately read “Updated,” and notes that a UEFICA2023Error key should not exist unless an error is pending.
The playbook also explicitly recommends applying OEM firmware updates before Secure Boot-related Windows updates if your organization has identified issues or your OEM recommends a BIOS update. This reinforces the overall theme: the Windows side is only half the story.
Microsoft KB5036210, which deployed the initial Secure Boot db update, remains a useful reference for administrators deploying the payload via WSUS or manual installers.
The Windows 10 “Zombie” Edge Case Is Still Real
Finally, the certificate refresh is another pressure point for Windows 10 holdouts. Microsoft’s own support documentation states Windows 10 support ended on October 14, 2025, and Microsoft positions Windows 10 Extended Security Updates (ESU) as the paid path for continuing to receive security updates after that date.
Microsoft’s Secure Boot guidance also reiterates that devices on unsupported Windows versions do not receive Windows updates, which is why the Secure Boot handover is effectively tied to staying on a supported servicing path (or ESU for Windows 10, where applicable).
What does this mean practically? If you are running Windows 10 without an ESU license, the servicing stack that installs the 2023 certificates will never arrive. Your machine will continue to boot using the expired 2011 certificates. As Windows Central reported, Microsoft warns that “outdated Secure Boot certificates may lead to certain software, drivers, and newer Windows operating systems to fail to load.” This won’t happen immediately on June 30, 2026—but over the following months, driver signing policies and anti-cheat software that require the fresh anchors will begin rejecting the old trust chain.
What You Should Do Now
If you are building a new PC or buying a motherboard today, check the manufacturing date. Stock manufactured in late 2024 or later generally ships with the 2023 certificates baked in. If you are using an older board, update your BIOS to the latest version released after mid-2024, then enter UEFI settings, disable Secure Boot, re-enable it, and select “Restore Factory Keys” or “Install Default Secure Boot Keys.” Reboot into Windows and confirm the presence of the 2023 entries using PowerShell (Confirm-SecureBootUEFI) or the registry paths mentioned above.
If you are still on Windows 10 and intend to stay there, the only route to the new certificates is purchasing an ESU license or finally accepting the Windows 11 upgrade path.
This is not a panic—nothing is breaking overnight. But as Microsoft has stated, this is “one of the largest coordinated security maintenance efforts across the Windows ecosystem.” For the first time in fifteen years, the foundation of Windows boot security is turning over. And on a DIY PC, nobody turns it over but you.