BrianKrebsJun 15

I've got a dusty old Windows 11 system running in a virtual machine, and when I booted it up the other day I was met not with MS's usual login prompt but instead w/ a BitLocker recovery blue screen.

Then I remembered the cause (when all else fails, check your own site doh!): As we warned in January 2026, Microsoft is expiring a bunch of older Windows Secure Boot certificates in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new certificates can no longer receive Secure Boot security fixes.

Fortunately in this case I was able to recover the Win11 system and update the certificates by pasting the supplied recovery key at aka.ms/myrecoverykey. But I suspect things can get far more complicated for organizations having to deal with this on a large number of machines.

https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

Show threadWill DormannJun 15

@briankrebs
Per Microsoft, this is not expected behavior. What will happen is the machine will simply not get some future updates.

I suspect this is the result of a botched update, not expired certs.

Show threadBrianKrebsJun 15
@wdormann Interesting. Thanks, Will. Anywhere I can read more about that specific behavior?
Show threadJernej Simončič �Jun 15

@briankrebs @wdormann It seems that updating the secure boot certificates invalidates the PCR measurements on some systems, which then prevents automatic BitLocker unlock.

Anyway, since this is a virtual machine, BitLocker probably doesn't make any sense, so I suggest you to disable it (easiest by running manage-bde -off c: from an elevated command prompt).

Show threadRairii   
@jernej__s @briankrebs @wdormann yes, and updating the certs is supposed to suspend bitlocker for a couple of reboots so that doesn't happen
Jun 15 at 1:47pmWeb