Back in February, we began discussing the implications of Secure Boot, and at the time, it seemed far less complex than what Microsoft has now laid out. The conversation revolved around certificates expiring in June 2026, the potential need for a BIOS update, and the necessity of keeping Windows up-to-date for Secure Boot. This fundamental information remains accurate, but now Microsoft (and ASUS) have provided more concrete details, including specific dates, visible system statuses, and real-world scenarios that were previously unclear regarding Secure Boot.
To elaborate on what was previously stated would be an understatement, as the company has introduced three changes and two clarifications that are crucial to understand if you are affected, to grasp the direction things are heading.
Microsoft Defines Windows’ New Secure Boot and Its Certificates
The first notable update compared to February concerns the timeline and the precise separation of certificates, as Microsoft is not treating this as a single deadline. The Microsoft Corporation KEK CA 2011 expires in June 2026 and will be replaced by Microsoft Corporation KEK 2K CA 2023.
Meanwhile, the Microsoft Windows Production PCA 2011 expires in October 2026 and will be succeeded by Windows UEFI CA 2023. The focus is no longer just on saying “certificates are expiring,” but rather on identifying which specific element is expiring, when, and which new credential will take its place within the renowned Secure Boot process, a welcome detail for system administrators.
The second new development is that Microsoft has begun displaying this information within Windows Security. Phase 1 commenced on April 8, 2026, for various versions of Windows 11 and Windows Server 2025, and on April 14, 2026, for Windows 10 and certain Windows Server editions. This stage will feature green and yellow indicators. In contrast, Phase 2 will arrive on May 16, 2026, for parts of Windows 11 and on May 13, 2026, for Windows 10 and several Windows Server versions, introducing notifications and red status indicators for the most critical situations. In essence, this issue is no longer hidden in technical documents; it is becoming visible within the system’s own interface, allowing anyone to identify its status.
ASUS Has Officially Spoken to Assist Users
The third piece of news somewhat reduces the alarm initially associated with the BIOS. ASUS explains that if Windows Update is enabled and Secure Boot is active, compatible systems will automatically download and install the new certificates and the new Boot Manager. Furthermore, they indicate that the phased rollout began in 2024 and is expected to be completed before June 2026. In other words, there is no universal need to manually update the BIOS on all PCs and laptops, although some may require additional firmware.
Adding to this are the two important clarifications mentioned earlier, which provide further perspective on the situation. The first is that if a system does not receive the new certificates in time, it will continue to boot normally and will still be able to install regular Windows updates.
However, it will cease to receive new early boot phase protections, including Boot Manager updates, Secure Boot databases, revocation lists, and mitigations against low-level vulnerabilities such as certificates. The second point is more delicate: ASUS already documents that if Windows has used a Boot Manager signed in 2023 and then the firmware is reset to factory defaults without including the Windows UEFI CA 2023, Secure Boot may prevent the system from booting.
This is the real difference compared to what we saw in February: we are no longer talking about a general warning but a much more defined picture of what expires, when it happens, and what the consequences might be afterward.
