Secure Boot Certificates from 2011 Begin Expiring in June 2026: What IT Teams Must Do Now
The original Secure Boot certificates installed on Windows PCs since 2011 will start expiring in June 2026, and without action devices will lose the ability to receive boot-component security updates and trust newly signed third-party software.
Microsoft has issued an urgent warning to IT administrators: the Microsoft Windows Production PCA 2011, Microsoft Corporation KEK CA 2011, and Microsoft Corporation UEFI CA 2011 certificates — which underpin Secure Boot on virtually every Windows PC and server shipped over the past 15 years — will begin expiring in June 2026 and complete their expiration cycle by October 2026. Organizations that do not update these certificates beforehand face serious consequences to boot security and compliance.
What Happens If You Do Nothing
After a 2011 certificate expires, affected devices will be unable to install Secure Boot security updates and will not trust third-party UEFI drivers or boot loaders signed under the old chain. Boot-component security updates — including defenses against UEFI bootkits like BlackLotus (CVE-2023-24932) — will no longer be applicable, leaving systems permanently exposed to that class of threat. For enterprise environments, expired Secure Boot certificates will also trigger compliance failures in frameworks that mandate verified boot.
The Replacement Path
Microsoft began rolling out replacement 2023 CA certificates through monthly Windows Update. Organizations need to install the 2023 CAs before the 2011 CAs start expiring. On managed endpoints, this means verifying that the February 2026 or later cumulative update has been applied and that the new certificate bundle has been enrolled in the UEFI Secure Boot database.
Virtual machines present an additional challenge: VM templates and offline snapshots created from pre-update images will carry the old certificates and must be refreshed. Administrators managing fleets of VMs on VMware, Hyper-V, or other hypervisors should audit template libraries now.
Recommended Timeline
Microsoft has published a detailed Secure Boot Playbook on the Windows IT Pro Blog with step-by-step guidance. The key milestones are: validate current certificate status on representative devices in each hardware class, deploy cumulative updates that include the 2023 CA bundle to all endpoints, update PXE boot environments and WinPE images, and complete the rollout with at least 30 days of buffer before June 2026. Organizations with large, complex estates should begin this work immediately.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.