Microsoft Secure Boot Certificate Expiration 2026
Overview
Microsoft is updating Secure Boot certificates originally issued in 2011, which begin expiring in late June 2026. While devices will still boot, failing to update (via automatic updates or manual firmware updates) will prevent receiving new boot-level security protections, making systems vulnerable to new threats.
- Microsoft Corporation KEK CA 2011: June 24, 2026
- Microsoft Corporation UEFI CA 2011: June 27, 2026
- Microsoft Windows Production PCA 2011: October 19, 2026
What do I need to do?
Most devices will receive updates automatically via Windows Update. However, some systems, particularly older ones, may require OEM firmware updates. If you have a system managed by DoIT Departmental Support you should not need to do anything. If a BIOS/firmware update is required we will send out targeted communications to the users of those systems.
What is Departmental Support doing?
We are actively testing and monitoring updates of the Secure Boot certificates for the systems we manage. We are slowly expanding our update ring by assigning a registry key that tells a system to try to update itself.
- 2/12 - DoIT-US-DS-SEAM Staff Machines (20)
- 3/3 - DoIT-US-DS Staff Machines (71)
- Future - DoIT-US Staff Machines
- Future - DoIT Staff Machines
- Future - Contract Partners Supported by DoIT Departmental Support
Information for IT Administrators
This situation only applies to devices using UEFI as the boot mechanism with Secure Boot enabled. If a device supports UEFI and Secure Boot it is generally best practice to have Secure Boot enabled.