You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
uefi certificates
About this tag
UEFI certificates are the cryptographic keys that underpin Secure Boot, a Windows security feature that verifies boot components before the operating system loads. Discussions on WindowsForum.com focus on the expiration of Microsoft's original 2011 Secure Boot certificates, which began in June 2026, and the migration to newer 2023 certificates. Topics include how certificate expiration affects Windows 10, Windows 11, and Windows Server devices, the role of OEM firmware updates, and tools like Ventoy that support the transition. Users and IT administrators share guidance on checking Secure Boot readiness via Windows Security, managing phased deployments, and understanding that while most PCs continue to boot, missing updates can lead to a gradual erosion of boot-chain security protections.
Microsoft on June 29, 2026 published KB5105943 to explain why some Windows 10, Windows 11, and Windows Server devices are being blocked from receiving updated Secure Boot certificates, and what happens if those machines reach certificate expiration without the new trust material installed. The...
Microsoft’s first-generation Secure Boot certificates began expiring on June 24, 2026, affecting the trust chain used by Windows PCs to validate boot components before the operating system loads, while Microsoft and major OEMs are moving supported Windows 10 and Windows 11 devices to replacement...
Microsoft’s original Secure Boot trust chain began expiring on June 24, 2026, when the Microsoft Corporation KEK CA 2011 certificate reached its end date on Windows PCs, servers, and other UEFI devices that still depend on the 2011-era keys. The immediate risk is not that millions of machines...
Ventoy 1.1.15 arrived on June 25, 2026, after two rapid-fire predecessor releases, adding support for Microsoft’s 2023 Secure Boot certificate transition and fixing a boot failure that could affect systems with Secure Boot disabled. The update looks like a small utility changelog, but it lands...
Microsoft is telling Windows users and IT administrators in June 2026 to continue phased Secure Boot certificate deployments using Windows updates, OEM firmware, validation tooling, and staged rollout practices as the ecosystem moves from aging 2011 certificates toward newer 2023 Secure Boot...
bitlocker
certificate rollover
enterprise it
firmware certificates
intune rollout
oem firmware
secure boot
ueficertificatesuefi firmware
windows 10
windows 11
windows it management
windows security
windows update
Windows users can check Secure Boot readiness by opening the Windows Security app, choosing Device security, and reading the Secure Boot status Microsoft began surfacing there in April 2026 as part of its migration from 2011 Secure Boot certificates to replacement 2023 certificates. That sounds...
On June 24, 2026, Microsoft’s original Secure Boot Key Exchange Key from 2011 reaches its expiration date, forcing Windows PCs, servers, virtual machines, and dual-boot systems to move onto Microsoft’s newer 2023 Secure Boot certificate chain. The deadline will not brick ordinary Windows...
azure linux vms
bitlocker
certificate rollover
enterprise it
it security
linux shim
secure boot
ueficertificatesuefi firmware
windows 11
windows 11 security
windows security
windows update
Beginning June 24, 2026, Microsoft’s original 2011 Secure Boot certificates start expiring across Windows PCs, servers, virtual machines, and Linux systems that rely on Microsoft-signed UEFI boot components, forcing vendors, administrators, and users to move to the newer 2023 certificate chain...
Microsoft’s 2011 Secure Boot certificate for third-party UEFI boot components is set to expire in late June 2026, forcing Linux distributions, hardware vendors, and administrators to complete a long-planned migration to Microsoft’s newer 2023 Secure Boot certificate chain. The uncomfortable part...
Microsoft’s June 2026 Secure Boot AMA focused on the enterprise fallout from expiring 2011-era Secure Boot certificates, warning that Windows fleets may keep booting after the deadline while silently losing access to future boot trust updates, revocation protections, and predictable...
Microsoft’s 2011 Secure Boot certificate family begins expiring in June 2026, and the most consequential deadline is the Microsoft Corporation KEK CA 2011, whose replacement determines whether affected Windows devices can keep receiving future Secure Boot database and revocation updates. The...
bitlocker
certificate revocation
enterprise it
firmware trust
intune
intune management
intune monitoring
kb5094156
kek ca 2011
safe os dynamic update
secure boot
secure boot certificatesueficertificates
windows 11 23h2
windows it admin
windows security
Microsoft released KB5096160 on May 26, 2026, as a Setup Dynamic Update for Windows 11 version 26H1 that refreshes setup-related files for feature updates and repeats Microsoft’s warning that aging Secure Boot certificates begin expiring in June 2026. That pairing is the story: a routine-looking...
Microsoft’s original 2011 Secure Boot certificates for Windows PCs begin expiring in June 2026, and Microsoft is rolling out 2023 replacement certificates through Windows Update so supported UEFI systems can keep validating trusted boot software without losing future early-boot security...
Microsoft is replacing the original 2011 Secure Boot certificate chain across Windows PCs and servers before certificates begin expiring in June 2026 and continue expiring into October, affecting supported Windows 10, Windows 11, and Windows Server systems that still trust those aging boot...
bitlocker
enterprise it
firmware security
it admin checklist
it administration
it management
it security
it security management
kb5089592
kb5092765
kb5096160
kb5096160 update
safe os dynamic update
secure boot
secure boot certificates
setup dynamic update
ueficertificatesuefi firmware
uefi trust chain
windows 10
windows 10 and 11
windows 11
windows 11 24h2
windows 11 26h1
windows 11 security
windows 11 servicing
windows recovery environment
windows security
windows servicing
windows update
winre recovery
winre update
wsus
Microsoft’s May 18 Secure Boot AMA is aimed squarely at IT administrators preparing for the June 2026 expiration of older Windows Secure Boot certificates, and one enterprise question now captures the central deployment dilemma: whether successful OEM firmware updates can stand in for...
Microsoft is preparing Windows PCs for a Secure Boot certificate rollover beginning in late June 2026, when original 2011-era certificates start expiring and unsupported Windows 10 systems outside Extended Security Updates will not receive the replacement certificates. This is not a theatrical...
Windows users can check readiness for the June 2026 Secure Boot certificate expiration by running an elevated PowerShell command that looks for the Windows UEFI CA 2023 certificate, then using Windows Update, OEM firmware updates, or Microsoft’s documented registry-triggered update path if it is...
Microsoft’s 2011-era Secure Boot certificates begin expiring in June 2026, forcing Windows PCs, servers, and some virtual machines to move to Microsoft’s newer 2023 certificate chain through Windows Update, OEM firmware updates, or managed IT deployment before boot-level protections start to...
Microsoft has quietly given Windows administrators a badly needed diagnostic upgrade for the Secure Boot certificate transition: a new -Decoded parameter for the Get-SecureBootUEFI PowerShell cmdlet. Published under KB5093574 on April 28, 2026, the change turns Secure Boot’s normally opaque...
Microsoft’s new Secure Boot 2023 certificate assessment in Microsoft Defender arrives at a critical moment for Windows administrators: the original Secure Boot certificates issued in 2011 begin expiring in June 2026, with the transition stretching into the months that follow. The new Defender...