EN|JA

DevGENT

テクノロジー

8th-Gen PC Secure Boot Certificate Expired — Windows Won’t Boot, Manual Fix Attempted

Microsoft Secure Boot certificates issued in 2011 expire in June 2026. On an 8th-gen PC the automatic update failed and Windows would not boot. We examine the official Microsoft documentation, real-world impact, and manual remediation steps.

krona23
5–7 minutes

Background and Microsoft Official Announcement on Secure Boot Certificate Expiration in 2026

Microsoft has officially announced that some Secure Boot certificates issued in 2011 will begin expiring starting June 2026. Secure Boot, a security standard part of the UEFI specification, ensures that a PC boots only software trusted by the PC manufacturer. When the PC starts, the firmware checks the signature of each piece of boot software. Valid signatures allow boot; invalid ones prevent it.

📑Table of Contents
  1. Background and Microsoft Official Announcement on Secure Boot Certificate Expiration in 2026
  2. Symptoms and Error Details Observed on 8th-Gen PCs
  3. Why Automatic Updates Fail and Characteristics of Affected Hardware
  4. Impact Range and Future Risks According to Official Microsoft Documentation
  5. Specific Steps and Results of Attempted Manual Certificate Update
  6. Recommended Actions and Precautions for Users of 8th-Gen and Older PCs
  7. Summary and Future Outlook for Windows Boot Security

This mechanism is required for Windows 8, 8.1, 10, and 11. According to Microsoft Learn documentation, Secure Boot is a requirement for hardware compatibility under the Windows Hardware Compatibility Program.

Certificate updates are normally delivered automatically via Windows Update, but this is not guaranteed for every device. Older PCs manufactured before 2024 may require OEM firmware updates or manual intervention in some cases.

Source: Microsoft Learn (https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/secure-boot) (as of June 2026)

Symptoms and Error Details Observed on 8th-Gen PCs

On PCs equipped with 8th-generation Intel processors, automatic Secure Boot certificate updates have failed in some cases, resulting in Windows failing to boot. Users report errors such as “Secure Boot verification failed” or similar messages that halt the boot process before the OS loads.

The root cause traces to 2011-issued certificates (Microsoft Windows Production PCA 2011, Microsoft UEFI CA 2011, etc.) expiring between June and October 2026. When automatic updates do not apply, the Boot Manager signature verification fails and the boot sequence stops.

Many 8th-gen PCs, released around 2017-2018, have relatively older UEFI firmware, leading to lower automatic update success rates. In practice, the Windows Security app may display a warning: “device does not support automated secure boot certificate update due to hardware or firmware limitations.”

Why Automatic Updates Fail and Characteristics of Affected Hardware

The primary reason automatic updates fail is hardware or firmware compatibility limitations. Microsoft Support documentation states that 2023-updated certificates (Microsoft Corporation KEK 2K CA 2023, Windows UEFI CA 2023, etc.) are delivered automatically to high-confidence devices, but success is not universal.

Hardware characteristics that increase the likelihood of issues: – PCs manufactured before 2024 or using pre-2024 platforms – 8th-generation Intel Core processors (Coffee Lake) with early-stage UEFI Secure Boot implementations – Systems with custom BIOS or third-party bootloaders – BitLocker-enabled configurations that depend on Secure Boot

In these scenarios, automatic delivery is skipped and OEM firmware updates or manual steps become necessary.

Source: Microsoft Support (https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e) (as of June 2026)

Impact Range and Future Risks According to Official Microsoft Documentation

The impact is not immediate boot failure. Devices continue to boot and receive standard Windows updates. However, they no longer receive new Secure Boot / Boot Manager security updates, revocation list updates, or mitigations for new boot-level vulnerabilities.

Future risks after the June 24, 2026 (KEK CA 2011), June 27, 2026 (UEFI CA 2011), and October 19, 2026 (Windows Production PCA 2011) deadlines include gradual loss of early-boot security protections. Systems relying on third-party bootloaders or Option ROMs are particularly affected.

Expiring Certificate Expiration Date New Certificate Storage Purpose
Microsoft Corporation KEK CA 2011 June 24, 2026 Microsoft Corporation KEK 2K CA 2023 KEK Signs updates to DB and DBX
Microsoft Windows Production PCA 2011 October 19, 2026 Windows UEFI CA 2023 DB Signs Windows boot loader
Microsoft UEFI CA 2011* June 27, 2026 Microsoft UEFI CA 2023 DB Signs third-party boot loaders / EFI apps
Microsoft UEFI CA 2011* June 27, 2026 Microsoft Option ROM UEFI CA 2023 DB Signs third-party option ROMs

*Note: Renewal splits boot loader signing from option ROM signing for finer control.

Source: Microsoft Support (https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e) (as of June 2026)

Specific Steps and Results of Attempted Manual Certificate Update

Microsoft does not provide a direct end-user tool for manual certificate injection. The primary path is OEM-supplied BIOS/UEFI firmware updates.

High-level steps: 1. Check current Secure Boot status in Windows Security > Device security 2. Download the latest BIOS/UEFI from the OEM support site for the specific PC model 3. Temporarily disable Secure Boot in BIOS setup if required 4. Run the firmware update utility 5. Re-enable Secure Boot and verify certificate application via Windows Update

In reported 8th-gen PC cases, even after OEM firmware updates, automatic certificate delivery sometimes failed, requiring manual DB/KEK updates. Microsoft documentation for end-user manual procedures remains limited; organizational deployment via management tools is the recommended approach.

Users of 8th-gen and older PCs should first check the Windows Security app for any “Secure Boot certificate update” warnings. If a warning appears, prioritize applying OEM BIOS updates.

Precautions: – Manual updates are performed at your own risk. Incorrect operations may render the system unbootable. – Always back up BitLocker recovery keys before making firmware changes. – If using third-party bootloaders (e.g., Linux), verify compatibility after the update. – After October 2026, the device will still boot and receive normal updates, but boot-level security protections will gradually diminish.

Microsoft recommends keeping devices updated. Many PCs from 2024 onward already ship with the 2023 certificates pre-installed.

Summary and Future Outlook for Windows Boot Security

The 2026 Secure Boot certificate expirations are part of Microsoft’s ongoing effort to refresh the Windows security foundation. On older hardware such as 8th-gen PCs, automatic updates are more likely to fail, making OEM or manual remediation necessary in some cases.

Users should check their PC generation and BIOS version and plan firmware updates accordingly. Looking ahead, further enhancements to Measured Boot and Secured Boot are expected, underscoring the growing importance of boot security.

Sources: Based on Microsoft Learn and Microsoft Support official documentation.

FAQ

Q: How can I check if my PC is affected?

Open the Windows Security app, navigate to “Device security,” and look for Secure Boot status and any certificate update warnings. Searching your PC model plus “Secure Boot certificate” on the OEM support site will also provide relevant information.

Q: Will Windows immediately stop booting if automatic updates fail?

No. Existing signatures remain valid even after certificates expire, so immediate boot failure does not occur. However, the system will no longer receive new Secure Boot security updates, increasing risk over time.

Q: Is there an official Microsoft tool for manual certificate updates?

Microsoft does not provide a direct end-user tool for manual certificate injection. OEM BIOS/UEFI firmware updates are the primary remediation path. Management tools are available for organizations.

Q: What about compatibility with Linux or third-party operating systems?

On systems running Linux with Secure Boot enabled, updated certificates may cause signature verification failures. Check compatibility information from the OEM and Linux distribution in advance.

Q: Can I continue using my PC after October 2026?

Yes. The device will continue to boot and receive standard Windows updates. However, boot-level security protections will gradually be restricted, so early action is recommended.

Q: Special precautions when BitLocker is enabled?

Always back up your BitLocker recovery key before performing firmware updates. Changing Secure Boot settings can trigger BitLocker lockout.

Related articles:

📖 Related Articles Mentioned

krona23

Author

krona23

Over 20 years in the IT industry, serving as Division Head and CTO at multiple companies running large-scale web services in Japan. Experienced across Windows, iOS, Android, and web development. Currently focused on AI-native transformation. At DevGENT, sharing practical guides on AI code editors, automation tools, and LLMs in three languages.

DevGENT about →

📚 Read Next

← PreviousRealities of Claude Enterprise Company-Wide Rollout: What Was Considered and SkippedNext →Tim Cook Says 'No More Limits' on Price Hikes — Android Already Raising Prices Amid Memory Costs

🔥 Most Popular

  1. Hermes Agent v0.17.0 "The Reach Release" — iMessage, WhatsApp, and Background Sub-Agents
  2. AI Code Editor Comparison 2026: 6 Tools Tested, Why I Use Zed + Claude Code
  3. AI Browser Comparison: I Tried 4 and Settled on 2 (2026)
  4. Claude Pricing Plans: Which One Is Actually Worth It? (June 2026)
  5. Claude Code CLI vs Web vs Desktop: A Daily User's Guide (2026)

Leave a Reply

Trending

Discover more from DevGENT

Subscribe now to keep reading and get access to the full archive.

Continue reading