Windows Secure Boot Certificate Crisis: The June 2026 Expiration That’s Holding Billions of PCs Hostage + Video

Listen to this Post

Featured Image

Introduction:

The clock has run out on an era of firmware-level trust. As of June 24, 2026, the first of Microsoft’s original Secure Boot certificates—the Microsoft Corporation KEK CA 2011—has officially expired, with the Microsoft UEFI CA 2011 following on June 27, 2026. A third certificate, the Microsoft Windows Production PCA 2011, is set to expire on October 19, 2026. Together, these certificates have underpinned boot integrity on every UEFI-capable PC since the Windows 8 era—affecting over one billion devices worldwide, including systems running Linux distributions. While devices will not suddenly stop booting, the expiration severs the ability to receive new boot-level security updates and revocations, leaving countless systems permanently exposed to future bootkits and firmware-level attacks.

Learning Objectives:

  • Understand the technical scope of the 2026 Secure Boot certificate expiration and its impact on UEFI firmware trust chains.
  • Learn how to verify Secure Boot certificate status using PowerShell, registry keys, and event logs across Windows and Linux environments.
  • Implement step-by-step mitigation strategies, including OEM firmware updates, Windows Update deployment, and Intune-based fleet monitoring.
  • Identify and resolve common update failures, including BitLocker recovery key prompts and Event ID 1795 firmware errors.
  • Develop an enterprise-ready response plan to ensure continued Secure Boot protection and compliance.
  1. Understanding the Secure Boot Certificate Expiration: What’s Actually Breaking

The Secure Boot ecosystem relies on a hierarchical trust model stored in UEFI NVRAM variables. At the top sits the Platform Key (PK), owned by the OEM, which remains untouched by this expiration. Below it, the Key Exchange Key (KEK) authorizes updates to the Secure Boot databases. The DB (allowed database) serves as a whitelist of trusted bootloaders, while the DBX (forbidden database) functions as a blacklist of revoked or malicious components.

The 2026 expiration targets three critical Microsoft-issued certificates:

| Certificate | UEFI Store | Expiration Date | Function | 2023 Replacement |

||||||

| Microsoft Corporation KEK CA 2011 | KEK | June 27, 2026 | Authorizes every DB and DBX update pushed via Windows Update | Microsoft Corporation KEK CA 2023 |
| Microsoft Corporation UEFI CA 2011 | DB | June 27, 2026 | Signs Linux shim, third-party option ROMs, and non-Windows bootloaders | Microsoft UEFI CA 2023 / Microsoft Option ROM UEFI CA 2023 |
| Microsoft Windows Production PCA 2011 | DB | October 19, 2026 | Signs Windows Boot Manager (bootmgfw.efi) and all Windows pre-OS components | Windows UEFI CA 2023 |

Source: Eclypsium analysis of Microsoft Secure Boot certificate expiration

What This Means Operationally:

When the KEK expires, the authorization pathway that allows Windows Update to push new entries to the DB and DBX collapses. Devices that have not been migrated to the 2023 certificate family before the deadline retain whatever DB and DBX state they had at the moment the KEK expires—and they hold that state permanently, or until an OEM firmware update embeds the new certificates.

Why This Matters for Security:

Past revocations have added entries to the DBX for attacks such as BlackLotus and BootHole. Every future bootkit campaign targeting a known-revoked component will succeed on unpatched devices because their DBX is frozen. Microsoft is calling this transition an “act now” event.

2. Step-by-Step Guide: Verifying Your Secure Boot Status

Before you can mitigate, you must know your exposure. Here’s how to check Secure Boot status and certificate presence across Windows and Linux environments.

For Windows Systems:

Step 1: Confirm Secure Boot is Enabled

Open an elevated PowerShell prompt and run:

Confirm-SecureBootUEFI

A result of `True` confirms Secure Boot is active. You can also verify via `msinfo32.exe` under System Summary > Secure Boot State.

Step 2: Check for the 2023 Certificate in the DB
Run the following PowerShell command to verify whether the Windows UEFI CA 2023 certificate is present in the Secure Boot Signature Database:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

If this returns True, the Secure Boot DB contains the new certificate.

Step 3: Query the Registry Update Status

Check the Secure Boot servicing registry key:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object WindowsUEFICA2023Capable, UEFICA2023Status

– `UEFICA2023Status = Updated` → Certificate update completed successfully
– Any other value or missing key → Action required

Step 4: Review Event Logs for Confirmation

Open Event Viewer → Windows Logs → System and look for TPM-WMI events:
– Event ID 1808 – Certificates successfully applied (authoritative success indicator)
– Event ID 1801 – Update initiated, reboot required
– Event ID 1795 – Firmware error during update
– Event ID 1803 – Missing KEK

For Linux Systems (RHEL / Ubuntu / Fedora):

Systems with the 2011 Microsoft UEFI CA certificate already enrolled will continue to boot after June 27, 2026. The expiration affects only the ability to sign new binaries, not booting from existing ones. However, to ensure continued compatibility with future updates:

Step 1: Check Secure Boot Status

sudo mokutil --sb-state

Step 2: Verify the Shim Version

shim --version

Current shim versions signed with 2011 keys will still boot after expiration. Red Hat and other major distributions are releasing updated shim versions signed with the new 2023 certificates.

Step 3: Check for Firmware Updates

Consult your OEM’s support site for UEFI firmware updates that include the new Microsoft UEFI CA 2023 certificate.

  1. Mitigation Strategy: How to Apply the 2023 Certificates

Option A: Automatic Deployment via Windows Update (Recommended for Most Devices)

For most personal and enterprise Windows devices, Microsoft deploys the new certificates automatically through regular monthly Windows updates. The rollout began in February 2026 and continues through June 2026 for high-confidence devices with Secure Boot enabled.

To verify the update has been applied:

  1. Open Settings → Windows Update → Update History

2. Scroll to the ‘Other Updates’ section

  1. Look for ‘Secure Boot Allowed Signature Database (DB)’ update

Option B: OEM Firmware Update (Required for Some Systems)

Some devices may require an additional firmware (UEFI/BIOS) update from the OEM before Windows can apply the new certificates. Major manufacturers including Dell, HP, Lenovo, and ASUS have prepared BIOS updates for devices released between 2018 and 2025.

Check your OEM’s support website for updates mentioning Secure Boot or security updates.

Option C: Registry-Based Opt-In (For Managed Environments)

For enterprise environments needing to expedite deployment, you can use the registry-based opt-in mechanism available on all supported Windows versions (Windows 10, Windows 11, Windows Server 2016/2019/2022/2025).

Create a registry key to trigger the update:

Path: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
Value: UEFICA2023Status
Data: InProgress

The system will process the update and transition the status to `Updated` upon completion.

  1. Enterprise Deployment: Monitoring Secure Boot Status with Intune

For IT administrators managing large fleets, visibility is the harder problem because no standard EDR enumerates UEFI variables. Microsoft Intune provides a solution through Proactive Remediation scripts.

Step 1: Create the Detection Script

Download the sample Secure Boot inventory data collection script from KB5072718. The script collects audit-grade telemetry from three sources:
– Registry – Secure Boot certificate update status, servicing keys, and device attributes
– WMI/CIM – OS version, last boot time, and baseboard hardware information
– Event logs – System log entries for Secure Boot update events (Event IDs 1795, 1796, 1800, 1801, 1802, 1803, and 1808)

Save the script as `Detect-SecureBootCertUpdateStatus.ps1`.

Step 2: Deploy in Intune

  1. Sign in to the Microsoft Intune admin center

2. Navigate to Devices → Remediations

3. Click + Create script package

  1. Upload the detection script (leave remediation script empty)
  2. Set Run script in 64-bit PowerShell to Yes, Run as SYSTEM

6. Assign to device groups and create

Step 3: View Results

After devices check in (up to 24 hours), results appear in the Intune admin center under Devices → Remediations → Monitor tab. The Overview tab shows a summary dashboard with counts for devices with and without the updated certificates.

  1. Critical Considerations: BitLocker Recovery Key and PCR7 Binding

A significant operational risk accompanies the Secure Boot certificate transition. Administrators should be aware of a known issue where the update may trigger unexpected BitLocker recovery prompts on certain systems. This problem specifically impacts devices using a TPM validation profile that includes PCR7 alongside specific Secure Boot configurations.

Why This Happens:

BitLocker volumes sealed to PCR7 will prompt for recovery keys when the transition lands. The expiration of the 2011 certificates can prevent binding BitLocker to PCR7. System Information (msinfo32.exe) may report Secure Boot State PCR7 Binding as ‘Not Possible’.

Best Practice:

Verify Entra ID recovery key backup before deployment for any BitLocker-enabled systems. Keep the BDE recovery key accessible in enterprise environments.

Check PCR7 Binding Status:

Run the following command in an elevated PowerShell session:

manage-bde -protectors -get C:

Ensure recovery key backups are current and accessible before applying any Secure Boot updates.

6. Troubleshooting Common Update Failures

Event ID 1795: Firmware Error

Event ID 1795 indicates a KEK update failure where the system firmware returns a “write protected” error when Windows tries to update the KEK variable. This is a known platform-level issue, not something that can be worked around at the guest OS level alone.

Resolution:

  • For physical systems: Install the latest OEM firmware update
  • For Azure VMs: Install the March 2026 Windows update or any later update on each affected VM
  • For Azure VMs using hotpatching: Apply the April 2026 release

Event ID 1801: Update Initiated but Not Applied

Event ID 1801 indicates the Secure Boot certificate update has been initiated but has not yet been applied to firmware. A reboot is typically required.

Resolution:

  • Reboot the system to complete the firmware update process
  • If the issue persists, check for pending OEM firmware updates

Missing UEFICA2023Status Registry Key

If the `UEFICA2023Status` key is missing or not set to Updated, the firmware has not accepted or applied the new 2023 Secure Boot certificates.

Resolution:

  • Verify Secure Boot is enabled (Confirm-SecureBootUEFI should return True)
  • Check Windows Update history for the Secure Boot DB update
  • Install any available OEM firmware updates
  • Consider using the registry opt-in method to trigger the update

7. Linux Distributions: Special Considerations

For Linux systems, the impact differs significantly from Windows. The Microsoft UEFI CA 2011 certificate, which signs the shim bootloader (shimx64.efi), expires on June 27, 2026.

Key Points:

  • Systems with the 2011 certificate already enrolled will continue to boot after expiration
  • The expiration affects only the ability to sign new binaries, not booting from existing ones
  • Most Linux distributions are expected to boot normally because certificate expiration does not automatically delete old keys from firmware

What to Do:

  • Update shim – Major distributions (Red Hat, Ubuntu, Fedora) are releasing new shim versions signed with the 2023 certificates
  • Check firmware updates – Ensure your system has the latest UEFI firmware from the OEM
  • Test boot compatibility – For older systems, verify that boot continues to work after the expiration date

Verification Command for Linux:

 Check if the 2023 certificate is present in the UEFI DB
sudo mokutil --list-enrolled

What Undercode Say:

  • Key Takeaway 1: The headline overstates the immediate impact and understates the medium-term one. Devices do not stop booting. What stops is the ability to receive new DBX revocations and boot-level security updates after the 2011 KEK expires. Future bootkit revocations cannot reach the device, and past revocations become the permanent state.

  • Key Takeaway 2: Two practitioner items for SMB fleets. BitLocker volumes sealed to PCR7 will prompt for recovery keys when the transition lands, so verify Entra ID recovery key backup before deployment. Visibility is the harder problem because no standard EDR enumerates UEFI variables. The Secure Boot status report in Intune (Reports → Windows quality updates) and the UEFICA2023Status registry key are where device-level state lives. Event ID 1808 confirms success. Event ID 1795 means an OEM firmware update is required first.

Analysis:

The Secure Boot certificate expiration represents one of the largest firmware-level security transitions in computing history. While Microsoft has provided the necessary 2023 certificates through Windows Update since February 2026, the challenge lies in execution. Enterprises face a fragmented landscape where some devices receive updates automatically, others require OEM firmware interventions, and still others—particularly unsupported Windows versions—receive no updates at all.

The architectural change splitting the old Microsoft UEFI CA 2011 into two distinct 2023 certificates (OS bootloaders and hardware option ROMs) adds complexity to the transition. Meanwhile, the permanent freezing of DBX state on unpatched devices creates a lasting vulnerability surface that attackers will inevitably target.

For Linux administrators, the situation is less urgent but still requires attention. The expiration does not break existing boot functionality, but future compatibility with new signed components depends on updated shim versions and firmware support.

The BitLocker recovery key issue serves as a critical reminder that security updates often have cascading effects on other protection mechanisms. Proper planning, including recovery key verification and phased deployment, is essential for avoiding operational disruption.

Prediction:

  • +1 Organizations that proactively completed the Secure Boot certificate migration before the June 2026 deadline will maintain a significant security advantage, with continued protection against emerging bootkits and firmware-level threats.

  • -1 Unpatched devices—particularly those running unsupported Windows versions or with outdated OEM firmware—will become permanent soft targets for bootkit campaigns. Attackers will develop exploits targeting known-revoked components that remain trusted on these frozen systems.

  • -1 The fragmentation of Secure Boot trust across the global device fleet will create a long-tail security problem lasting years, as older devices that cannot receive OEM firmware updates remain permanently exposed.

  • +1 The Secure Boot certificate transition will accelerate enterprise adoption of centralized device management solutions like Microsoft Intune, as organizations seek visibility into UEFI-level security states that traditional EDR cannot provide.

  • -1 Expect an increase in BitLocker recovery incidents as organizations deploy the Secure Boot updates without proper recovery key verification, leading to support desk overload and potential data loss scenarios.

  • +1 The Linux ecosystem’s handling of the certificate expiration—with distributions releasing updated shim versions and maintaining boot compatibility—demonstrates the resilience of open-source communities in adapting to upstream security changes.

  • -1 The October 19, 2026 expiration of the Microsoft Windows Production PCA 2011 will create a second wave of urgency as Windows Boot Manager components lose trust, potentially causing boot failures on systems that have not completed the transition.

▶️ Related Video (78% Match):

https://www.youtube.com/watch?v=0r36rOSo8Ng

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky