{"id":109688,"date":"2026-03-29T23:30:19","date_gmt":"2026-03-30T02:30:19","guid":{"rendered":"https:\/\/mastertrend.info\/?p=109688"},"modified":"2026-03-29T23:30:19","modified_gmt":"2026-03-30T02:30:19","slug":"secure-boot-expiration","status":"publish","type":"post","link":"https:\/\/mastertrend.info\/en\/expiracion-secure-boot\/","title":{"rendered":"Secure Boot Expiration 2026 in Windows 11"},"content":{"rendered":"<h2>Secure Boot Expiration 2026: Risks and Support<\/h2>\n<p>In 2026, nothing \"visible\" to most users changes. The computer turns on, Windows loads, everything seems the same. But underneath, something important changes: the foundation upon which the system decides what to trust at startup.<\/p>\n<div>\n<p class=\"c-paragraph\">This isn't a typical update or just another patch. What's expiring are certificates that are part of the boot chain of trust. To put it more simply: the firmware will no longer rely on references that were previously valid.<\/p>\n<p class=\"c-paragraph\">That doesn't break the equipment, but it does change the verification level. And that kind of change is easy to overlook because it doesn't generate obvious errors.<\/p>\n<p class=\"c-paragraph\">Secure Boot acts before the operating system has a chance to intervene. It checks digital signatures using keys stored on the platform itself (PK, KEK, db, dbx). As long as these keys are up to date, the filter works. When they become outdated, the system still boots\u2026 but with less certainty.<\/p>\n<p class=\"c-paragraph\">The problem isn't immediate, but rather gradual. The system doesn't become insecure overnight, but it loses its ability to detect modifications to boot components. And that opens up a vulnerability that isn't typically monitored by traditional tools.<\/p>\n<h2 class=\"c-paragraph__title\">What actually changes with the expiration of certificates<\/h2>\n<p class=\"c-paragraph\">The certificates issued in 2011 \u2014as <i>Microsoft Corporation KEK CA 2011<\/i> or <i>UEFI CA 2011<\/i>\u2014 they have an expiration date. In this cycle, that limit falls between June and October 2026.<\/p>\n<p class=\"c-paragraph\">This doesn't mean the system stops working. What happens is more subtle: if those authorities aren't updated, the validation stops relying on a current chain.<\/p>\n<p class=\"c-paragraph\">Microsoft already considered this scenario with a new authority (<i>2023 Microsoft Windows PCA<\/i>) which is distributed via Windows Update on compatible computers. Under normal conditions, the process is automatic.<\/p>\n<p class=\"c-paragraph\">The differences begin with the equipment that is not within that \"normal flow\": unsupported systems, altered configurations, or firmware that does not easily accept new keys.<\/p>\n<p class=\"c-paragraph\">There's no clear warning there. The equipment is still working, but the validation is no longer equivalent to what it was before.<\/p>\n<h2 class=\"c-paragraph__title\">Not all teams are in the same situation<\/h2>\n<p class=\"c-paragraph\">At first glance it may seem like a general problem, but in reality it depends quite a lot on the context.<\/p>\n<p class=\"c-paragraph\">There are cases where it's worth looking at this more closely:<\/p>\n<ul class=\"c-paragraph\">\n<li>Equipment that is still in daily use but no longer receives <a title=\"\ud83c\udf1f Microsoft Surface Updates: Reasons not to miss this new version.\" href=\"https:\/\/mastertrend.info\/en\/microsoft-surface-updates\/\" target=\"_blank\" rel=\"noopener\" data-wpil-monitor-id=\"34589\">Microsoft updates<\/a>.<\/li>\n<li>Systems where Secure Boot is disabled due to previous decisions (compatibility, custom installations).<\/li>\n<li>Environments where secure boot is part of security control (companies, critical data).<\/li>\n<\/ul>\n<p class=\"c-paragraph\">And others where the urgency is considerably lower:<\/p>\n<ul class=\"c-paragraph\">\n<li>Old equipment that no longer performs critical functions.<\/li>\n<li>Isolated systems or systems with very limited use.<\/li>\n<\/ul>\n<p class=\"c-paragraph\">It's not that there's no risk in these cases, but the priority changes. Not everything requires immediate intervention.<\/p>\n<h2 class=\"c-paragraph__title\">Check the status: quick and sufficient to decide<\/h2>\n<p class=\"c-paragraph\">Before thinking about changes, the most useful thing is to know where you stand.<\/p>\n<p class=\"c-paragraph\">With <i>msinfo32<\/i>In the system summary, you can see the Secure Boot status. That's all you need for an initial assessment.<\/p>\n<p class=\"c-paragraph\">If it appears enabled and the system receives updates, the transition will most likely occur without intervention.<\/p>\n<p class=\"c-paragraph\">If it appears disabled or the system no longer updates, then it's worth stopping to think about what to do.<\/p>\n<p class=\"c-paragraph\">That simple piece of information is usually enough to separate what is normal maintenance from what requires attention.<\/p>\n<h2 class=\"c-paragraph__title\">The decision is not technical, it is operational.<\/h2>\n<p class=\"c-paragraph\">This is where the approach changes. It's not just about knowing how Secure Boot works, but about deciding whether it's worth intervening.<\/p>\n<p class=\"c-paragraph\">There are clear situations where taking action makes sense:<\/p>\n<ul class=\"c-paragraph\">\n<li>Equipment that remains in active use and handles relevant information.<\/li>\n<li>Configurations where Secure Boot is disabled but could be enabled without breaking compatibility.<\/li>\n<li>Systems that no longer receive automatic updates.<\/li>\n<\/ul>\n<p class=\"c-paragraph\">Conversely, forcing changes to older or non-critical equipment may be unnecessary. Sometimes it's more sensible to keep them isolated or plan for their replacement.<\/p>\n<p class=\"c-paragraph\">Furthermore, modifying firmware is not a trivial matter. Changing Secure Boot can affect booting if there are incompatible drivers or configurations. It's not complex, but it's also not something to do without checking beforehand.<\/p>\n<p class=\"c-paragraph\">More than a specific date, this is a checkpoint. If everything is in order, there's no urgency. If it's not, it's best to know before it becomes obvious.<\/p>\n<p class=\"c-paragraph\">For technical details and specific dates, you can consult the official documentation on the <b><a title=\"Microsoft\" href=\"https:\/\/support.microsoft.com\/es-es\/topic\/expiraci%C3%B3n-del-certificado-de-arranque-seguro-de-windows-y-actualizaciones-de-ca-7ff40d33-95dc-4c3c-8725-a9b95457578e#:~:text=Microsoft%20est%C3%A1%20actualizando%20los%20certificados,expirar%20en%20junio%20de%202026.\" target=\"_blank\" rel=\"noopener\" data-schema-attribute=\"mentions\">Secure Boot Certificate Expiration and CA Updates<\/a><\/b>.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The expiration of Secure Boot in 2026 requires a review of certificates, support, and firmware in Windows 11 to prevent a loss of trust in secure boot.<\/p>","protected":false},"author":1,"featured_media":109923,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ai_generated_summary":"","iawp_total_views":110,"jnews-multi-image_gallery":[],"jnews_single_post":{"format":"standard","override":[{"template":"1","parallax":"1","fullscreen":"1","layout":"right-sidebar","sidebar":"default-sidebar","second_sidebar":"default-sidebar","sticky_sidebar":"1","share_position":"top","share_float_style":"share-monocrhome","show_share_counter":"1","show_view_counter":"1","show_featured":"1","show_post_meta":"1","show_post_author":"1","show_post_author_image":"1","show_post_date":"1","post_date_format":"default","post_date_format_custom":"Y\/m\/d","show_post_category":"1","show_post_reading_time":"1","post_reading_time_wpm":"300","post_calculate_word_method":"str_word_count","zoom_button_out_step":"2","zoom_button_in_step":"3","show_post_tag":"1","show_prev_next_post":"1","show_popup_post":"1","show_comment_section":"1","number_popup_post":"1","show_author_box":"1","show_post_related":"1","show_inline_post_related":"0"}],"image_override":[{"single_post_thumbnail_size":"crop-500","single_post_gallery_size":"crop-500"}],"trending_post_position":"meta","trending_post_label":"Trending","sponsored_post_label":"Sponsored by","disable_ad":"0","subtitle":""},"jnews_primary_category":[],"jnews_social_meta":[],"jnews_review":[],"enable_review":"","type":"percentage","name":"","summary":"","brand":"","sku":"","good":[],"bad":[],"score_override":"","override_value":"","rating":[],"price":[],"jnews_override_counter":{"view_counter_number":"0","share_counter_number":"0","like_counter_number":"0","dislike_counter_number":"0"},"footnotes":""},"categories":[308],"tags":[1639,1445,1559],"class_list":["post-109688","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seguridad","tag-ciberseguridad","tag-evergreencontent","tag-windows11"],"_links":{"self":[{"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/posts\/109688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/comments?post=109688"}],"version-history":[{"count":5,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/posts\/109688\/revisions"}],"predecessor-version":[{"id":109926,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/posts\/109688\/revisions\/109926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/media\/109923"}],"wp:attachment":[{"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/media?parent=109688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/categories?post=109688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mastertrend.info\/en\/wp-json\/wp\/v2\/tags?post=109688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}