Windows Secure Boot Apocalypse: Microsoft’s 2011 Certificates Expire in June 2026 — Is Your Enterprise Ready? + Video

Listen to this Post

Featured Image

Introduction:

Secure Boot is a fundamental security technology that prevents malware from loading during system startup by ensuring that only trusted, digitally signed software executes during the boot process. However, the original Secure Boot certificates issued by Microsoft in 2011 have a finite lifespan and are scheduled to begin expiring in June 2026, which will push millions of devices into a degraded security state where critical boot‑level protections can no longer be updated. In response, Microsoft has introduced a new assessment capability within Microsoft Defender for Endpoint that provides IT teams with centralized, at‑scale visibility into Secure Boot certificate readiness across their entire device fleet, enabling proactive remediation before the June deadline.

Learning Objectives:

  • Identify which Secure Boot certificates are expiring, their exact expiration dates, and the security impact of failing to update devices in time
  • Assess organizational readiness using the new Microsoft Defender Secure Boot recommendation dashboard
  • Execute PowerShell commands and Group Policy configurations to verify, deploy, and monitor Secure Boot 2023 certificate updates across Windows clients and servers

You Should Know:

  1. Understanding the Expiring Secure Boot Certificates and Associated Risks

The Secure Boot chain of trust relies on three original certificates issued by Microsoft in 2011, all of which have a 15‑year lifespan. The Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 both expire on June 24, 2026, while the Microsoft Windows Production PCA 2011 expires later on October 19, 2026. Together, these certificates are responsible for signing updates to the Secure Boot database (DB), the revocation list (DBX), the Windows Boot Manager, and third‑party boot components.

When these certificates expire, devices will continue to boot normally in the short term, but they will lose the ability to receive any future updates for the Windows Boot Manager, DB, or DBX via Windows Update. This degrades the device into a compromised security state where new boot‑level protections cannot be applied. Without DBX updates, known bootloaders that have been compromised by malware such as the BlackLotus UEFI bootkit remain exploitable forever on unpatched devices.

To maintain security, devices must be updated to use the new 2023 certificate chain: Microsoft Corporation KEK 2K CA 2023 (stored in KEK), Windows UEFI CA 2023 (stored in DB for signing Windows boot loaders), and Microsoft UEFI CA 2023 (stored in DB for signing third‑party components).

2. Assessing Readiness with Microsoft Defender for Endpoint

Microsoft Defender for Endpoint now provides a centralized assessment that automatically categorizes managed devices into three distinct classes:
– Exposed Devices: Trust only the old 2011 Secure Boot certificates and lack trust in the new 2023 certificates. These devices require immediate remediation.
– Compliant Devices: Have successfully received the new 2023 certificates and boot from the 2023‑signed boot manager.
– Not Applicable Devices: Have Secure Boot disabled or do not support the feature.

To access this assessment:

  • Navigate to the Microsoft Defender portal at `security.microsoft.com`
    – Go to Exposure Management → Recommendations → Devices → Misconfigurations.
  • Locate the new recommendation titled “Ensure devices are updated to Secure Boot 2023 certificates and boot manager”.

From this recommendation view, security administrators can drill down into exposed devices, filter by operating system platform, export device data to share with infrastructure teams, and track rollout progress across the entire organization. The recommendation also provides direct, actionable remediation guidance for each affected device. Microsoft Secure Score will also reflect this recommendation, with remediation actions contributing to an improved security posture score.

  1. Manual Verification: PowerShell Commands for Secure Boot Certificate Status

Before or after deployment, administrators can manually verify the Secure Boot certificate status on individual devices using the following PowerShell commands. These commands require an elevated PowerShell session (Run as Administrator).

a. Verify that the Windows UEFI CA 2023 certificate (new Secure Boot DB certificate) has been successfully applied:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

If the command returns True, the Secure Boot DB has been successfully updated with the 2023 certificate.

b. Verify that the old Microsoft Windows Production PCA 2011 certificate has been revoked and added to the DBX (Forbidden Signature Database), which is the mitigation for CVE‑2023‑24932 (BlackLotus):

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'

If this command returns True, the revocation list contains the old certificate, confirming that the BlackLotus mitigation is in place.

c. Manually trigger the Secure Boot update scheduled task and then restart twice:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

After triggering, restart the device twice and re‑run the verification commands above to confirm the changes have taken effect. Event log entry 1037 (per KB5016061) also confirms that the DBX update was successfully applied.

  1. Enterprise Deployment: Group Policy Configuration for Secure Boot Certificate Updates

For domain‑joined devices, Group Policy provides a scalable deployment method for the Secure Boot certificate update.

To enable Secure Boot certificate deployment via Group Policy:
– Open the Group Policy Management Console (GPMC)
– Navigate to Computer Configuration → Administrative Templates → Windows Components → Secure Boot
– Set the policy Enable Secure Boot certificate deployment to `Enabled`

This policy writes the `AvailableUpdatesPolicy` registry value (0x5944) to target machines, instructing the operating system to initiate the update process during the next maintenance window. After applying the policy, run `gpupdate /force` to refresh the policy settings. The scheduled task will then handle the certificate installation and boot manager update automatically without further manual intervention.

5. Windows Servers Require Special Attention

Unlike Windows client devices that receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR) via Windows Update, Windows Server instances must be updated manually by IT administrators.

To update Secure Boot certificates on Windows Server:

  • Ensure the server is fully up to date by installing the latest cumulative updates
  • After updates are installed, manually initiate the Secure Boot certificate update as described in the official Microsoft guidance at `aka.ms/SecureBootForServer`

    Failure to update Windows Server certificates before June 2026 places servers in a degraded security state where new boot‑level protections cannot be applied. This directly impacts disaster recovery operations, failover clustering, and compliance posture. When a cluster node, backup image, or recovery VM relies on expired certificates, the system may fail to validate boot components, potentially blocking restores or causing cluster nodes to fail quorum checks.

6. OEM Firmware Updates Are a Critical Prerequisite

The Secure Boot certificate update is a firmware‑level write that depends on the underlying UEFI firmware being compatible with the new certificates. Dell, HP, and Lenovo have each published specific BIOS update timelines and affected platform lists.

Dell began shipping both 2011 and 2023 certificates on newly launched platforms in late 2024 and, by the end of 2025, on all sustaining platforms shipping from its factories. This dual‑certificate strategy allows enterprise customers with older images to boot regardless of which certificate their image was signed with. HP has targeted BIOS updates for platforms released between 2018 and 2025. Platforms released in 2017 or earlier will not receive BIOS updates and may be permanently incapable of supporting the new certificates.

Before deploying the Secure Boot certificate update, verify that the latest UEFI firmware from the OEM is installed. BitLocker recovery keys should also be accessible, as the update process may require BitLocker recovery after firmware changes.

  1. Advanced Hunting with KQL in Microsoft 365 Defender

For organizations requiring custom monitoring and reporting, Kusto Query Language (KQL) can be used within Microsoft 365 Defender’s Advanced Hunting to identify devices lacking the 2023 Secure Boot certificates. A comprehensive KQL example for hunting exposed devices can be found in the Microsoft Tech Community blog.

To run a KQL query:

  • In the Microsoft Defender portal, navigate to Advanced Hunting
  • Enter the query to search for devices where the Secure Boot certificate status indicates exposure
  • Export results or create custom detection rules to alert on non‑compliant devices

Advanced Hunting enables security operations teams to integrate Secure Boot certificate readiness into existing security posture workflows and create automated remediation playbooks for exposed devices.

What Undercode Say:

  • The June 2026 Secure Boot certificate expiration is not a hypothetical risk; it is a fixed deadline. Organizations that fail to update all Windows devices to the 2023 certificate chain before the June deadline will permanently lose the ability to apply boot‑level security protections, leaving systems exposed to bootkits such as BlackLotus that exploit exactly this type of trust‑anchor vulnerability.

  • Enterprise‑scale remediation is possible only through centralized tools. Microsoft Defender for Endpoint’s new Secure Boot recommendation provides the first unified dashboard for assessing certificate readiness across thousands of devices. This should be combined with Group Policy for automated deployment and PowerShell verification scripts for post‑deployment validation. Windows Server environments require particular vigilance, as they do not receive automatic updates and must be remediated manually.

Prediction:

By Q3 2026, after the first certificate expirations take effect, the industry will witness a surge in boot‑level attacks targeting devices that remain on expired Secure Boot certificates. Organizations that rely solely on post‑boot endpoint detection and response (EDR) solutions will discover that these tools cannot block threats that execute before the operating system loads. This will drive a fundamental shift in how enterprise security teams prioritize firmware‑level hygiene, moving Secure Boot certificate management from a rarely‑considered IT maintenance task to a core component of zero‑trust architecture and compliance frameworks such as NIST SP 800‑147.

Citations:

  • Link to the Microsoft Defender Secure Boot blog post
  • Link to the original Secure Boot announcement
  • Link to Dell’s Secure Boot Transition FAQ
  • Link to HP’s Secure Boot certificate update page
  • Link to BlackLotus mitigation guidance

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Markolauren Expire – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky