The clock has run out on one of the most foundational security mechanisms in the modern PC ecosystem. As of June 24, 2026, the first of Microsoft’s original Secure Boot certificates — the Microsoft Corporation KEK CA 2011 — officially expired. The Microsoft UEFI CA 2011 follows on June 27, 2026, with the Microsoft Windows Production PCA 2011 set to expire on October 19, 2026. Together, these certificates have underpinned firmware-level boot trust on every UEFI-capable computer deployed since the Windows 8 era — a population exceeding one billion devices worldwide.
What Is Secure Boot and Why Do These Certificates Matter?
Secure Boot is a UEFI firmware feature that verifies the cryptographic signatures of bootloaders and early boot components before handing off control to the operating system. It prevents unauthorized or malicious code — such as bootkits and rootkits — from executing at the firmware level, before any OS-level defenses can intervene.
The trust chain underpinning Secure Boot is hierarchical. The Platform Key (PK) sits at the apex, authorizing the Key Enrollment Key (KEK). The KEK signs updates to the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). At boot time, firmware checks the bootloader’s signature against the DB. If the signature is valid and not revoked in DBX, the system proceeds. The expiring 2011-era certificates occupy critical positions throughout this hierarchy — without being replaced, the entire trust chain stops receiving updates.
Four Certificates, Four Expiry Deadlines
Enterprises should track the following key expiry milestones. The Microsoft Corporation KEK CA 2011 expired June 24, 2026, and is replaced by the Microsoft Corporation KEK 2K CA 2023. The Microsoft Corporation UEFI CA 2011 expires June 27, 2026, replaced by Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023. The Microsoft Windows Production PCA 2011 expires October 19, 2026, replaced by Windows UEFI CA 2023. The 2023 replacement certificates are valid through 2038, providing approximately 15 years of continued coverage once deployed.
Linux Systems Are Equally Affected
The impact is not limited to Windows environments. Nearly every mainstream Linux distribution — Ubuntu, Fedora, Debian, Red Hat Enterprise Linux, and others — relies on the Microsoft UEFI CA 2011 to sign the shim bootloader that enables those systems to boot with Secure Boot enabled on standard UEFI hardware. The Fedora Project has confirmed that new shim binaries will only be signed with the 2023 certificate going forward. This creates an immediate compatibility gap: Linux installation media relying on a new 2023-signed shim will fail to boot on machines whose UEFI firmware only contains the old 2011 certificate — a direct impact on bare-metal installs, server deployments, and virtual machine templates across enterprise environments.
What Happens If You Don’t Patch?
Devices that fail to migrate will continue to boot and run existing software. However, the security consequences compound over time. There will be no future DBX revocation updates, meaning new bootkits and malicious bootloader variants will never be blacklisted at the firmware level. No Windows Boot Manager security updates will arrive, leaving the bootloader frozen at its last 2011-signed version. Third-party hardware components and OS drivers signed with new certificates will not be trusted, and potential blockage of future Windows feature updates may occur since newer Windows builds may require a Boot Manager version requiring the 2023 certificate chain.
Remediation Steps for IT Teams
Microsoft’s official guidance requires two sequential actions for devices manufactured before 2024. First, an OEM Firmware (BIOS/UEFI) Update: devices need a vendor-supplied firmware update to enable their UEFI to accept the 2023 certificates. Use Dell Command Update, Lenovo System Update, or HP Image Assistant depending on the hardware vendor. Second, a Windows Certificate Update delivered via Microsoft’s monthly cumulative updates, requiring Windows 10 22H2+ with ESU enrollment, or any supported Windows 11 build.
For enterprise environments, Microsoft Intune’s Settings Catalog and Windows Autopatch include a dedicated Secure Boot Certificate Update policy and built-in Secure Boot Status report. Group Policy administrators should enable “Enable Secure Boot Certificate Deployment” under Computer Configuration > Administrative Templates > Windows Components > Secure Boot after deploying the latest Windows 11 ADMX templates.
For Linux systems, administrators must update both the shim package via apt full-upgrade, dnf upgrade, or equivalent, and apply the OEM firmware update that enrolls the Microsoft UEFI CA 2023 certificate into the firmware DB. The fwupd version 2.0.10 or later is required for Linux Vendor Firmware Service delivery to function correctly.
How to Verify You Are Protected
On Windows, navigate to Windows Security > Device Security > Secure Boot — a green badge confirming “all certificates are applied” is the required indicator. Alternatively, check the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\UEFICA2023Status for an “updated” value. On Linux, run sudo mokutil --sb-state to confirm Secure Boot status and sudo mokutil --db to inspect enrolled certificates. If the output shows only the Microsoft Corporation UEFI CA 2011 certificate, your firmware requires immediate attention. Organizations relying on the KEK and UEFI CA certificates have already passed their initial window as of June 24, 2026 — immediate action is essential to prevent a widening security debt at the firmware level.