Windows Secure Boot certificates begin expiring in June 2026

This is general to all Framework computers, but I had to choose a category.

Microsoft has announced that its Secure Boot certificates will begin expiring a few months from now (Microsoft Secure Boot certificates begin expiring in June 2026). My Framework 13 has one of the expiring certificates and M$ indicates that some devices will be updated by OEM manufacturers, possibly via firmware. (More info from Ars Technica here)

Does anyone know whether our machines will need special attention from Framework or if a regular Windows update will resolve this? There’s still plenty of time, I just like to know what to expect. Thanks!

I’m uncertain if BIOS updates will be rolled out via Windows Update. Traditionally the updates are made available via knowledge base or on the forum as an .exe to run/install.

Thanks, I appreciate the input. I agree, if it has to be a BIOS update, I’d expect it to come from Framework. If it doesn’t require a firmware update, I guess it could be through the regular Windows update channels. I’m hoping that Framework will make an announcement soon about how this will happen.

Two things!

1. Most Framework programs have already received firmware updates to add the new UEFI CA 2023 KEK certificate. You can search the firmware release notes for “UEFI CA 2023” or equivalent. Note that many of their recent products came out after this transition, and their use of the newer CA cert may not be reflected in their firmware update release notes.
2. It is not likely to actually matter: mjg59 | Secure boot certificate rollover is real but probably won't hurt you

Fantastic! I updated BIOS once last year and didn’t realize there was another release on Oct 31 that “Added Framework’s dbx key and updated the default CA of Windows Secure Boot”. Sounds like the solution I was looking for. Thanks!

Edit: I ran the BIOS update, it went fine, and I confirmed that it the new certificate is installed. Thanks for all the quick responses!