UEFI CA 2011 Countdown: The June 2026 Deadline That Could Break Your Secure Boot Trust Chain Permanently + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

The UEFI CA 2011 certificate—the cryptographic linchpin of Secure Boot on virtually every Windows device deployed before 2025—reaches end of life in June 2026. For IT and security teams, this isn’t a routine patch cycle; it’s a firmware-level trust infrastructure transition that, if missed, permanently disables a device’s ability to receive Secure Boot security updates. With the BlackLotus bootkit vulnerability (CVE-2023-24932) already demonstrating how attackers exploit boot-level trust gaps, organizations that fail to migrate before the deadline are effectively leaving their endpoints exposed to bootkits with no remediation path forward.

Learning Objectives

• Understand which Secure Boot certificates are expiring, when, and what they actually do in the UEFI trust hierarchy
• Master the step-by-step migration process across physical hardware, Hyper-V VMs, and VMware environments
• Learn how to verify certificate status, trigger deployment, and validate completion using PowerShell, registry keys, and Group Policy

You Should Know

1. The Secure Boot Trust Hierarchy: What’s Actually Expiring

Secure Boot isn’t a single certificate—it’s a hierarchy of keys stored in UEFI firmware non-volatile variables, not on the OS disk. At the top sits the Platform Key (PK) , which authorizes the Key Enrollment Key (KEK) . The KEK in turn signs updates to two critical databases: the Allowed Signature Database (DB) —a whitelist of trusted boot signatures—and the Forbidden Signature Database (DBX) —a blacklist of revoked certificates.

Three Microsoft certificates from the 2011 generation are expiring:

| Expiring Certificate | Expiry | Replacement | Store |

|||||

| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK CA 2023 | KEK |
| Microsoft Corporation UEFI CA 2011 | June 2026 | Microsoft UEFI CA 2023 | DB |
| Microsoft Corporation UEFI CA 2011 | June 2026 | Microsoft Option ROM UEFI CA 2023 | DB |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 | DB |

Critical nuance: Systems with the 2011 certificate already enrolled will continue to boot after expiration. The expiration only impacts the ability to sign new binaries—meaning devices that miss the migration lose the capability to receive future Secure Boot database updates, bootloader security fixes, and revocation updates permanently.

Why this matters for Linux environments: Every modern Linux distribution that supports Secure Boot relies on the shim bootloader, which is signed by Microsoft Corporation UEFI CA 2011. Red Hat has released new shim versions signed with both 2011 and 2023 certificates for RHEL-9 and RHEL-10, but legacy systems that cannot receive UEFI db updates may face issues when a bootloader update is required after expiration.

1. The BlackLotus Connection: Why This Deadline Is Security-Critical

Microsoft has explicitly linked this certificate update to CVE-2023-24932 (BlackLotus) , a UEFI bootkit that exploits buggy Secure Boot binaries to bypass the Secure Boot chain and install a custom Machine Owner Key (MOK) without requiring physical console access. The BlackLotus bootkit has been spotted in the wild and uses this technique to achieve persistence.

The May 2023 cumulative update added protection against this Secure Boot security feature bypass. However, the updated certificates are described as “the latest security measure to address the BlackLotus UEFI bootkit vulnerability”. Devices that miss the 2026 migration lose access to these mitigations permanently.

Step-by-step: Verify your system’s current Secure Boot and certificate status

On Windows (elevated PowerShell):

 Check if Secure Boot is enabled
Confirm-SecureBootUEFI
 Returns True if enabled

Alternative via msinfo32
msinfo32.exe
 Check System Summary > Secure Boot State

Query the servicing registry key to check if 2023 certificates are present
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object WindowsUEFICA2023Capable, UEFICA2023Status, @{n="UEFICA2023Error"; e={'0x' + '{0:x}' -f $_.UEFICA2023Error}}

On Linux (check shim and Secure Boot status):

 Check if Secure Boot is enabled
mokutil --sb-state

Check enrolled keys
mokutil --list-enrolled

Check shim version
shim --version 2>/dev/null || rpm -q shim

For RHEL systems, verify the enrolled certificates
efitools --list-enrolled 2>/dev/null || echo "efitools package may need installation"

1. The Migration Is Not a Registry Key—It’s a Multi-Reboot Sequence

The migration isn’t a single action. It requires firmware prerequisites, capability checks, reboot sequencing, and per-device confirmation. The process demands:

1. UEFI firmware (not Legacy BIOS)—Secure Boot must be enabled
2. OEM firmware updates may be required before migration
3. At least one reboot, often two, with monitoring between steps
4. Registry trigger followed by reboot to deploy new certificates

Step-by-step: Trigger Secure Boot certificate deployment on Windows

Method 1: Registry Key (Manual)

Set the `AvailableUpdates` value to `0x5944` under:

HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot

From an elevated PowerShell:

 Set the registry key to trigger deployment
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -1ame "AvailableUpdates" -Value 0x5944 -Type DWord

Reboot to apply
Restart-Computer -Force

Method 2: Group Policy

Navigate to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and set Enable Secure Boot certificate deployment policy to Enabled. Download the latest Administrative Templates (.admx) for Windows 11 from Microsoft to access these settings.

Method 3: Windows Configuration System (WinCS)

Available for domain-joined clients on Windows 11 versions 23H2, 24H2, and 25H2.

Verification after reboot:

 Check if deployment completed successfully
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object WindowsUEFICA2023Capable, UEFICA2023Status

Check event logs for Secure Boot servicing events
Get-WinEvent -LogName "Microsoft-Windows-SecureBoot/Operational" | Where-Object { $_.Id -in 101, 102, 103, 104 } | Select-Object TimeCreated, Id, Message

4. Virtual Machines: The Overlooked Attack Surface

Virtual machines are commonly overlooked in firmware-level security conversations, but Secure Boot applies equally to VMs with UEFI firmware enabled. Hyper-V Generation 2 VMs and VMware VMs with Secure Boot active are in scope alongside physical endpoints.

For Hyper-V VMs: The update process mirrors physical servers—through the guest operating system.

For VMware VMs: The certificate update is delivered through a firmware file update on the hypervisor side, not through the guest OS.

Step-by-step: Verify and update Secure Boot on Hyper-V VMs

From the Hyper-V host (elevated PowerShell):

 Check Secure Boot status on a specific VM
Get-VMFirmware -VMName "YourVMName" | Select-Object SecureBoot, SecureBootTemplate

Enable Secure Boot if disabled
Set-VMFirmware -VMName "YourVMName" -EnableSecureBoot On

Check the Secure Boot template (Microsoft UEFI Certificate Authority)
Get-VMFirmware -VMName "YourVMName" | Select-Object SecureBootTemplate

For VMware ESXi (from the host or via PowerCLI):

 Check Secure Boot status on ESXi host
esxcli system settings secureboot get

Check if the 2023 certificates are enrolled
vsish -e get /hardware/secureboot/db

1. Windows Automatic Deployment: What’s Happening Behind the Scenes

Starting with update KB5074109 released on January 13, 2026, Windows quality updates include device targeting data that identifies systems eligible to automatically receive new Secure Boot certificates. Microsoft delivers the new certificates only after devices demonstrate sufficient successful update signals, ensuring a safe, phased deployment.

Automatic update applies to:

• Windows 11 versions 24H2 and 25H2 (builds 26100.7623 and 26200.7623 respectively)
• Windows 11 version 23H2 through KB5073455

Systems NOT automatically updated:

• Windows Server (all versions)—must be manually migrated
• Generation 1 Hyper-V VMs (no UEFI firmware)
• Systems where Secure Boot is disabled
• Azure Local hosts

Step-by-step: Check if your system is eligible for automatic deployment

 Check if the device is targeted for automatic certificate deployment
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing | Select-Object Targeting

Check Windows Update status for Secure Boot-related updates
Get-HotFix | Where-Object { $_.HotFixID -match "KB5074109|KB5073455" }

6. Linux and Dual-Boot Considerations: The Shim Challenge

For Linux distributions relying on Microsoft-signed shim bootloaders, the expiration creates additional complexity. Red Hat has released new shim versions for RHEL-8, RHEL-9, and RHEL-10, signed with both 2011 and 2023 certificates. However:

• Legacy systems that cannot receive UEFI db updates may face issues when a bootloader or shim update is required after expiration
• TPM PCR7 values will change when the UEFI db is updated—if you’re using TPM-based automatic unlocking of LUKS-encrypted volumes or Measured Boot, reseal against a PCR value that did not change (e.g., PCR0) before rebooting, then reseal against the new PCR7 value

Step-by-step: Update UEFI db on Linux using fwupd

 Install fwupd if not present
sudo dnf install fwupd  RHEL/Fedora
sudo apt install fwupd  Ubuntu/Debian

Check for firmware updates including UEFI db updates
sudo fwupdmgr refresh
sudo fwupdmgr get-updates

Apply updates (carefully test before mass deployment)
sudo fwupdmgr update

Check enrolled Secure Boot keys after update
sudo mokutil --list-enrolled | grep -i "microsoft"

Important: Carefully test updating the UEFI db using fwupd before auto-updating all machines of the same model and firmware version. If an update is not offered by fwupd, contact your OEM vendor.

7. What Undercode Say

• The clock is ticking, and the window is closing. June 2026 isn’t a soft deadline—it’s a hard cutoff. After that date, affected endpoints lose the ability to receive Secure Boot security updates permanently. There’s no “catch-up” patch.

• This isn’t a Y2K-style boot apocalypse. Most devices will continue to boot normally. The real risk is subtler and more dangerous: the security chain beneath Windows, Linux, and cloud recovery workflows stops being renewable at the exact moment attackers are getting better at abusing the boot layer.

• Manual execution at scale is a trap. For teams managing hundreds or thousands of endpoints, manual execution and point-in-time audits aren’t a viable path to the June deadline. Without a systematic approach, organizations end up with a fragmented migration state: some devices complete, others stalled mid-migration, others never triggered at all.

• The migration requires more than technical execution—it requires visibility. Most enterprises cannot answer the basic question: “Which devices in my fleet still have the 2011 KEK?”. Discovery and inventory are prerequisites to migration.

Prediction

• +1 Organizations that complete the migration before June 2026 will gain a significant security posture advantage, as they’ll maintain the ability to receive critical boot-level revocation updates that will become increasingly important as new bootkit vulnerabilities are discovered.

• -1 The devices that miss the migration window will become permanent soft targets. As new bootloader vulnerabilities are discovered and patched, these devices won’t be able to receive the DBX updates that block malicious boot components, effectively freezing them in a state of accumulated security debt.

• -1 Expect an increase in bootkit attacks targeting post-June 2026 unpatched systems. Attackers are already aware of this expiration window, and the BlackLotus bootkit (CVE-2023-24932) has demonstrated that boot-level compromises are both feasible and valuable.

• +1 The 2023 certificate transition, while painful, will ultimately strengthen the Secure Boot ecosystem by forcing organizations to modernize their firmware and boot security practices, much like the SHA-1 to SHA-2 transition forced cryptographic hygiene improvements across the industry.

• -1 Virtual machines will be the most overlooked risk category. IT teams focusing on physical endpoints may miss that Hyper-V Generation 2 VMs and VMware VMs are equally in scope, leaving cloud and virtualized workloads exposed.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=0r36rOSo8Ng

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: %F0%9D%97%A7%F0%9D%97%B5%F0%9D%97%B2 %F0%9D%97%A8%F0%9D%97%98%F0%9D%97%99%F0%9D%97%9C – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky