Listen to this Post
Introduction:
The UEFI CA 2011 certificate—the cryptographic linchpin that underpins Secure Boot on virtually every Windows device manufactured before 2025—reaches end of life in June 2026. For IT and security teams, this isn’t a routine patch cycle; it’s a firmware-level trust infrastructure transition that, if mishandled, permanently disables Secure Boot update capability across your entire endpoint fleet. Missing this deadline doesn’t just leave you behind on a patch—it exposes your organization to bootkit malware like BlackLotus (CVE-2023-24932), third-party software trust failures, and compounding security debt with no clean path back.
Learning Objectives:
- Understand which Secure Boot certificates are expiring, when they expire, and the cascading security impact of inaction
- Master the step-by-step migration process across physical hardware, Windows Server, and virtual machines
- Deploy automated verification and remediation scripts using PowerShell, Group Policy, and enterprise deployment tools
You Should Know:
- Mapping the Secure Boot Trust Chain—What’s Actually Expiring
Secure Boot relies on a hierarchy of cryptographic keys stored in UEFI firmware variables, not on the OS disk. At the top sits the Platform Key (PK), which authorizes the Key Enrollment Key (KEK). The KEK in turn signs updates to two critical databases: the Allowed Signature Database (DB)—the whitelist of trusted boot signatures—and the Forbidden Signature Database (DBX)—the blacklist of revoked certificates.
Four Microsoft certificates anchoring this chain reach end of life in 2026:
| Expiring Certificate | Expiry | Replacement | Store | Purpose |
||||||
| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK 2K CA 2023 | KEK | Signs updates to DB and DBX |
| Microsoft Corporation UEFI CA 2011 | June 2026 | Microsoft UEFI CA 2023 | DB | Signs third-party OS and hardware drivers |
| Microsoft Corporation UEFI CA 2011 | June 2026 | Microsoft Option ROM UEFI CA 2023 | DB | Signs third-party option ROMs |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 | DB | Signs the Windows boot loader |
The first three expire in June 2026; the Windows boot loader certificate follows in October 2026. Systems that miss the migration lose Secure Boot update capability permanently.
2. Pre-Migration Assessment—Inventory and Readiness Checks
Before deploying any updates, you must inventory your environment and verify Secure Boot status on every endpoint—including physical hardware, Windows Server instances, and virtual machines (Hyper-V Generation 2 VMs and VMware VMs with Secure Boot enabled are all in scope).
Step 1: Verify Secure Boot is enabled
Run the following in an elevated PowerShell session on each target system:
Confirm-SecureBootUEFI
A return value of `True` confirms Secure Boot is active. You can also check via `msinfo32.exe` under System Summary > Secure Boot State.
Step 2: Query current certificate status
Check whether the 2023 certificates are already present on a system:
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object WindowsUEFICA2023Capable, UEFICA2023Status, @{n="UEFICA2023Error"; e={'0x' + '{0:x}' -f $_.UEFICA2023Error}}
Step 3: Inventory at scale
For enterprise-wide discovery, use this PowerShell script to export Secure Boot status across all domain-joined systems:
$computers = Get-ADComputer -Filter | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
$sbStatus = Invoke-Command -ComputerName $computer -ScriptBlock { Confirm-SecureBootUEFI }
$regStatus = Invoke-Command -ComputerName $computer -ScriptBlock {
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -ErrorAction SilentlyContinue
}
[bash]@{
Computer = $computer
SecureBootEnabled = $sbStatus
UEFICA2023Present = $regStatus.WindowsUEFICA2023Capable
}
}
} | Export-Csv -Path "SecureBoot_Inventory.csv" -1oTypeInformation
3. Deployment Methods—Registry, Group Policy, and Automation
Microsoft delivers the new certificates through multiple channels. Starting with update KB5074109 (January 2026), Windows quality updates include device targeting data that identifies systems eligible to automatically receive new Secure Boot certificates. However, automatic deployment applies only to Windows 11 versions 24H2 and 25H2—enterprise environments with diverse OS versions require active management.
Method A: Registry Key Deployment (Manual or Scripted)
Set the `AvailableUpdates` registry value to trigger certificate installation:
Deploy all needed certificates and update to Windows UEFI CA 2023 signed boot manager Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -1ame "AvailableUpdates" -Value 0x5944 -Type DWord
For CVE-2023-24932-specific mitigation, set the value to `0x40` (triggers DBX update to revoke vulnerable boot managers):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -1ame "AvailableUpdates" -Value 0x40 -Type DWord
After setting the registry value, trigger the Secure Boot update scheduled task:
Start-ScheduledTask -TaskPath "\Microsoft\Windows\PI\" -TaskName "Secure-Boot-Update"
Method B: Group Policy Deployment
Navigate to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and set Enable Secure Boot certificate deployment policy to Enabled. Note that you must download the latest Administrative Templates (.admx) for Windows 11 from Microsoft—these policies were first introduced with the 2025 Update (25H2).
Method C: PowerShell Automation (Full Workflow)
The following script automates the entire migration sequence, including registry updates, reboots, and event log validation:
Secure Boot Certificate Migration Automation Script
Requires: Windows 10/11, Windows Server 2012+, Administrator privileges
Step 1: Verify Secure Boot is enabled
if (-1ot (Confirm-SecureBootUEFI)) {
Write-Error "Secure Boot is not enabled on this system. Aborting."
exit 1
}
Step 2: Check current certificate status
$servicing = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -ErrorAction SilentlyContinue
if ($servicing.WindowsUEFICA2023Capable -eq 1) {
Write-Host "System already has UEFI CA 2023 certificate." -ForegroundColor Green
exit 0
}
Step 3: Set registry trigger for certificate deployment
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -1ame "AvailableUpdates" -Value 0x5944 -Type DWord
Write-Host "Registry trigger set. Scheduling certificate deployment..." -ForegroundColor Yellow
Step 4: Trigger the Secure Boot update task
Start-ScheduledTask -TaskPath "\Microsoft\Windows\PI\" -TaskName "Secure-Boot-Update" -ErrorAction SilentlyContinue
Step 5: Reboot required
Write-Host "A reboot is required to apply the certificate update." -ForegroundColor Red
Restart-Computer -Force
Method D: Windows Configuration Service (WinCS) for Domain-Joined Clients
For domain-joined clients on Windows 11 versions 23H2, 24H2, and 25H2, use WinCS command-line tools:
wincs.exe /secureboot /deploy
4. Post-Migration Validation—Verifying Success
After deployment and the required reboot sequence, validate that the new certificates are properly installed and the old ones are revoked.
Step 1: Verify certificate presence
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object WindowsUEFICA2023Capable, UEFICA2023Status, UEFICA2023Error
– `WindowsUEFICA2023Capable = 1` indicates the new certificate is installed
– `UEFICA2023Status = 0` indicates successful deployment
– `UEFICA2023Error` shows error codes if any (0x0 = success)
Step 2: Check DBX revocation (CVE-2023-24932 mitigation)
Open Event Viewer and navigate to Application and Services Logs > Microsoft > Windows > Kernel-Boot > Operational. Look for Event ID 1035, which confirms DBX updates have been applied correctly. Event ID 276 entries also indicate successful boot manager revocation.
Step 3: Verify boot integrity
Check that the system is using the new signed boot manager
Get-WinEvent -LogName "Microsoft-Windows-Kernel-Boot/Operational" | Where-Object { $_.Id -eq 276 } | Select-Object TimeCreated, Message
5. VMware and Hyper-V Virtual Machine Considerations
Virtual machines are commonly overlooked in firmware-level security conversations. However, Secure Boot applies equally to VMs with UEFI firmware enabled.
Hyper-V Generation 2 VMs:
Certificate updates are delivered through the guest operating system—the same process as physical servers. Run the PowerShell scripts above inside each guest VM.
VMware VMs with Secure Boot:
The certificate update is delivered through a firmware file update on the hypervisor side rather than through the guest OS. Coordinate with your virtualization team to ensure the VMware host firmware includes the updated certificates.
Bulk deployment across VMs:
Deploy to all Hyper-V VMs with Secure Boot enabled
$vms = Get-VM | Where-Object { $_.SecureBoot -eq $true }
foreach ($vm in $vms) {
Invoke-Command -VMName $vm.Name -ScriptBlock {
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -1ame "AvailableUpdates" -Value 0x5944 -Type DWord
Start-ScheduledTask -TaskPath "\Microsoft\Windows\PI\" -TaskName "Secure-Boot-Update"
}
}
6. Boot Media and WinPE Preparation
Systems that rely on custom boot media, Windows PE images, or older installation media must be updated before the certificate expiration. After the new certificates are deployed and old ones revoked, unpatched boot media will fail to boot.
Update Windows PE boot images:
Mount the Windows PE image Dism /Mount-Image /ImageFile:"C:\WinPE\winpe.wim" /Index:1 /MountDir:"C:\WinPE\mount" Apply the latest cumulative update containing the new boot manager Dism /Add-Package /Image:"C:\WinPE\mount" /PackagePath:"C:\Updates\windows11.0-kb5074109-x64.msu" Commit changes Dism /Unmount-Image /MountDir:"C:\WinPE\mount" /Commit
Microsoft’s KB5025885 provides detailed guidance for updating Windows PE boot images to address CVE-2023-24932.
What Undercode Say:
- The June 2026 deadline is absolute—Microsoft has clearly stated that systems missing the migration lose Secure Boot update capability permanently. There is no “catch-up” patch; the window closes permanently.
-
The migration is not a single registry key—It requires firmware prerequisites, capability checks, reboot sequencing, and per-device confirmation across every endpoint in scope, including VMs. Organizations treating this as a routine Windows update are setting themselves up for failure.
-
BlackLotus (CVE-2023-24932) is the canary in the coal mine—This UEFI bootkit demonstrated that attackers can and will exploit expired or revoked certificates to bypass Secure Boot entirely. The vulnerability allows disabling Microsoft Defender, BitLocker, and HVCI. Missing the 2026 migration recreates this exposure at scale.
-
Automatic updates only cover a subset of systems—While Windows 11 24H2 and 25H2 receive automatic certificate updates, Windows 10, Windows Server 2012–2025, and older Windows 11 builds require active IT intervention.
-
Boot media and recovery environments are often forgotten—Systems that rely on custom WinPE images, OEM recovery partitions, or older installation media will fail to boot after the DBX revocation is applied. Update all boot media before the deadline.
-
Virtual machines are not exempt—Hyper-V Generation 2 VMs and VMware VMs with Secure Boot enabled are in scope and require the same migration steps as physical hardware.
Prediction:
-
+1 Organizations that proactively complete the UEFI CA 2023 migration before June 2026 will strengthen their boot-level security posture and gain a competitive advantage in compliance audits, particularly in regulated industries where firmware integrity is a critical control.
-
-1 Enterprises that delay migration until the final weeks will face widespread boot failures, incident response emergencies, and significant business disruption as thousands of endpoints lose Secure Boot protection simultaneously with no recovery path.
-
-1 The security industry will see a surge in bootkit and firmware-level attacks targeting organizations that missed the deadline, with threat actors weaponizing the expired certificate window as a mass exploitation vector similar to the BlackLotus campaign.
-
+1 The forced migration will accelerate enterprise adoption of automated endpoint management and firmware-update orchestration tools, driving long-term improvements in patch management discipline and security hygiene.
-
-1 Organizations running mixed environments with Windows 10, legacy Server editions, and custom UEFI implementations will face the highest remediation costs, with some legacy systems potentially requiring hardware replacement to support the new certificate chain.
-
+1 Microsoft’s phased deployment approach—delivering certificates only after devices demonstrate sufficient successful update signals—will prevent large-scale failures and serve as a model for future cryptographic infrastructure transitions.
-
-1 Third-party software vendors that fail to update their bootloaders and option ROMs with the new 2023 certificates will experience widespread trust failures, creating ripple effects across the entire Windows ecosystem.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=4dE59YxuWi4
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: %F0%9D%97%A7%F0%9D%97%B5%F0%9D%97%B2 %F0%9D%97%A8%F0%9D%97%98%F0%9D%97%99%F0%9D%97%9C – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
