Microsoft Update

Windows Secure Boot Certificate Expiration | K-12 Technology Group

K-12 Technology Group — Client Advisory

Windows Secure Boot Certificate Expiration

Action required for Windows Server and VMware environments before June 2026.
⚠ Action Required Before June 2026

Overview

The original UEFI Secure Boot certificates shipped with Windows devices since 2012 are expiring after 15 years of service. Microsoft is replacing them with updated 2023 certificates. Devices that are not updated will continue to boot normally, but will lose the ability to receive new boot-level security protections—including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities. This also impacts BitLocker hardening and third-party bootloader trust.

Expiration Timeline

Certificate Store Expiration Date
Microsoft Corporation KEK CA 2011 KEK June 24, 2026
Microsoft Corporation UEFI CA 2011 DB June 27, 2026
Microsoft Windows Production PCA 2011 October 19, 2026

Update Paths by Platform

Windows PCs (Automatic)

Supported Windows 10 (with ESU) and Windows 11 devices that receive Microsoft-managed updates will get the new certificates automatically via monthly updates. Most PCs manufactured since mid-2024 already include them. Unsupported Windows 10 devices (without ESU enrollment) will not receive the update.

Windows Server (Manual Action Required)

Windows Server does not receive the certificates automatically. IT administrators must perform the following steps:

Verify Secure Boot is enabled. Older VMs may need conversion from legacy BIOS (MBR) to UEFI (GPT).
Ensure the server is fully patched with the latest cumulative updates.
Trigger the certificate update via registry key: HKLM\SYSTEM\CurrentControlSet\Control\Secureboot\MicrosoftUpdateManagedOptIn (DWORD: 0x5944)
Monitor progress and reboot if required to complete enrollment.

VMware Environments

VMware VMs receive Secure Boot certificates from the hypervisor firmware, not the guest OS. The certificates depend on the VM hardware version at creation time—not the physical host's UEFI. VMs with hardware version 21 include the 2023 certificates; older versions ship with only the 2011 certificates.

Broadcom has identified two issues:

Missing KEK 2023: The platform cannot authorize Secure Boot updates. Windows may log Event ID 1801 during remediation attempts.
Invalid Platform Key (PK): VMs created on ESXi versions earlier than 9.0 may have a NULL PK signature, preventing KEK, DB, and DBX updates entirely.

Estimated Downtime

Each Windows Server VM requires approximately 30–45 minutes for the certificate update. If an MBR-to-GPT conversion is also required (for VMs still using legacy BIOS boot mode), plan for 60–90 minutes total per VM.

Important Reminders

Do not toggle Secure Boot off and on—this can erase the updated certificates and reset to factory defaults.
Install OEM firmware updates as they become available from your hardware vendors (HP, Lenovo, Dell, etc.).
Only KEK and DB stores require updated certificates. PK and DBX do not have expiring 2011 Microsoft certificates.

Questions about your district's environment? K-12 Technology Group is actively reviewing client systems for this update. Contact us at 262-781-3400 or visit k12techgroup.com/ to learn more.

References

  1. Microsoft Windows IT Pro Blog, Act Now: Secure Boot Certificates Expire in June 2026
  2. Microsoft Support, Windows Secure Boot Certificate Expiration and CA Updates
  3. Microsoft Windows IT Pro Blog, Secure Boot Playbook for Certificates Expiring in 2026
  4. Microsoft Community Hub, Windows Server Secure Boot Playbook for Certificates Expiring in 2026
  5. Windows Experience Blog, Refreshing the Root of Trust: Industry Collaboration on Secure Boot Certificate Updates
  6. Microsoft Secure Boot Landing Page, https://aka.ms/GetSecureBoot

K-12 Technology Group • 262-781-3400 • k12techgroup.com/cybersecurity