Four critical Microsoft Secure Boot certificates from 2011 are expiring between June and October 2026. These certificates are essential for Windows boot security and system serviceability.
Without updates, your Secure Boot-enabled Windows devices will not receive security updates or trust new boot loaders, compromising both serviceability and security.
Expiring Certificates
| Certificate | Expiry | Replacement |
|---|---|---|
| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK 2K CA 2023 |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 |
| Microsoft UEFI CA 2011 (Boot Loaders) | June 2026 | Microsoft UEFI CA 2023 |
| Microsoft UEFI CA 2011 (Option ROMs) | June 2026 | Microsoft Option ROM UEFI CA 2023 |
Impact If Not Updated
- No Security Updates – Devices cannot receive security updates or trust new boot loaders after certificate expiration.
- Compromised Serviceability – Windows devices without 2023 certificates cannot receive security fixes for pre-boot components.
- Boot Security Compromised – Windows boot security will be fundamentally compromised, exposing devices to boot-level threats.
- Time-Sensitive Action Required – Updates must be completed before the June–October 2026 expiration dates to maintain security.
Who Is Affected?
This update affects all Windows IoT Enterprise and Windows Embedded devices with Secure Boot enabled that still have the 2011 certificate versions installed.
To check if your device is affected, verify Secure Boot status via msinfo32 and check for the presence of 2011 certificates in your device's KEK and DB stores.
Update Methods
Certificates can be updated through:
Automatic updates via Windows Update (recommended)
Manual updates using registry modifications and scheduled tasks
Custom deployment for large-scale enterprise environments
The update process requires Secure Boot to be enabled and proper verification before and after the update.
How Elbacom Can Help
- Assessment & Verification – We help identify affected devices and verify current certificate status across your deployment.
- Update Guidance – Expert guidance on manual or automated certificate update processes for your specific environment.
- Documentation & Scripts – Access to verification scripts and step-by-step procedures for certificate updates.
- Technical Support – Direct support from our Windows IoT security experts for troubleshooting and implementation.
- Deployment Planning – Help planning and executing updates across your entire device fleet before expiration deadlines.
Don't risk security breaches or service interruptions. Contact our support team for comprehensive help with Secure Boot certificate updates.