Secure Boot Certificate Expiration 2026: Update to Windows UEFI CA 2023

Background​

What exactly is changing — the technical summary​

• The original Microsoft UEFI certificates (issued circa 2011) have finite cryptographic lifetimes; multiple expirations related to those keys begin in June 2026, with some signing production CAs following through later in 2026.
• Microsoft produced a replacement certificate family — the Windows UEFI CA 2023 set — which is being delivered through a combination of Windows servicing (OS updates, dynamic updates) and coordinated OEM firmware updates for platforms that require firmware‑level key insertion.
• Delivery mechanisms include normal cumulative updates, targeted Setup/Safe OS Dynamic Updates that run during OS upgrade and repair (Microsoft has published specific KBs used in the transition), and firmware updates from vendors where the platform does not support OS‑initiated key management.
• Some device classes — older PCs, servers, air‑gapped systems, unsupported Windows 10 installs not covered by Extended Security Updates (ESU), and certain virtualization host images — are higher risk and may require manual intervention.

Why this matters: security, compatibility, and recoverability​

• Loss of future boot‑level updates: Devices that do not accept the new CA will not receive future Secure Boot updates and re‑OS vulnerabilities unpatchable at the firmware layer.
• Compatibility issues: Boot managers, WinRE/WinPE images, third‑party option ROMs and some Linux shim chains may need re‑signing or updated shims to validate under the 2023 CA.
• Operational risk for servers and air‑gapped devices: Systems that do not receive regular Windows Update telemetry are likely to need manual updates or support from OEMs — this includes many server and regulated endpoint scenarios.
• Recovery complexity: If a firmware corner case prevents OS‑initiated DB updates, you may need vendor tools or a firmware reflash to recover. Keep updated WinRE/USB recovery media available.

Verify firmware and device readiness: practical checks​

Quick locShell)​

• Confirm Secure Boot is enabled:
• Confirm-SecureBootUEFI — returns True/False.
• Check for the 2023 CA in the active DB:
• [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI DB).bytes) -match 'Windows UEFI CA 2023'

Task Scheduler and telemetry checks​

• Task: Microsoft\Windows\PI\Secure-Boot-Update
• Confirm its Last Result (0x0 indicates success). If the task hasn't run or shows an error, further investigation is warranted — a restart (or two) is recommended because the update often requires a reboot cycle to complete.

Event IDs and logs to watch​

• Event 1801 / Event 1795 (Secure Boot DB/KEK updates) — informative on whether the DB was changed.
• Event 1808 / Event 1802 — used to flag firmware acceptance failures or lack of support.
• Additional Setup/WinRE event codes may appear when Safe OS dynamic updates run during feature upgrades.

Monitoring device readiness at scale​

• Use PowerShell scripts and the Get‑SecureBootUEFI cmdlets to produce per‑device evidence and exportable artifacts (the DB/PK blobs can be exported for ticketing). Microsoft published sample reporting scripts and outputs for this transition; OEMs have echoed those checks.
• In Intune and other MDMs, create a detection policy that queries:
• Confirm-SecureBootUEFI status
• The presence of a DB entry matching 'Windows UEFI CA 2023'
• Task Scheduler status for Mcure-Boot-Update
• For SCCM/ConfigMgr, use the same PowerShell probes as compliance rules, collect results in hardware inventory, and build query-based collections to prioritize remediation.
• Prioritize and tag high‑risk assets: servers, imaging stations, dedicated lab/test hardware, air‑gapped endpoints, and VM images used to provision Cloud PCs or virtualized services. Microsoft specifically calls out Cloud PC/Windows 365 and server images as requiring early attention.

Deployment options and recommended playbook​

1) Inventory and classification (Day 0–7)​

• Build an inventory of Secure Boot‑enabled devices and record:
• Firmware vendor/model/version
• Secure Boot status (Enabled/Disabled)
• Presence of Windows UEFI CA 2023
• Update channel and last update date
• Flag unsupported Windows 10 devices not on ESU and any systems that do not receive updates automatically.

2) Pilot (Day 7–21)​

• Pick a representative pilot across firmware families (Dell, Lenovo, ASUS, vendor OEMs) and device classes (laptops, desktops, servers, Cloud PC images).
• Validate:
• PowerShell DB checks
• Task Scheduler runs and results
• WinRE / Setup dynamic update behavior (test the specific Setup Dynamic Update packages Microsoft published for staged transitions).

3) Firmware testing and OEM coordination​

• Where firmware does not accept OS‑initiated DB injections, coordinate with OEMs to deploy firmware updates that inject the 2023 CA into firmware DB. OEMs are publishing model‑specific guidance; some vendors include tools or BIOS settings to persist DB changes.
• Test updated WinPE/WinRE images signed under the 2023 CA and ensure recovery media used for imaging or recovery is rebuilt with updated components.

4) Phased rollout and automation​

• Use Intune or SCCM to distribute steps that require no firmware change (Windows dynamic updates, Safe OS updates).
• For devices requiring firmware intervention, schedule vendor BIOS/UEFI updates during maintenanc a rollback path.
• Use compliance collections to iterate on remediation and move families through the gating telemetry.

5) Ongoing monitoring & fallbacks​

• Continue to watch the scheduled task results and Event IDs.
• Maintain updated recovery images and tooling for manual DB injection where necessary.
• Communicate with helpdesk and frontline support; provide runbooks and checklists for common failure modes.

How to deploy updated certificates: specific tools and packages​

• Windows cDynamic Updates — Microsoft has targeted Safe OS and Setup Dynamic Updates (example KBs surfaced by Microsoft during the rollout) that update boot manager/WinRE during upgrade/repair flows. These are how many client devices get the new CA without firmware changes.
• OEM firmware packages — where firmware restricts OS-initiated DB writes, vendors will ship BIOS/UEFI updates that inject the 2023 CA persistently. Check OEM support advisories for model‑specific instructions. ([lenovopress.lenovo.com](Updating Windows Boot Manager and WinPE with the Windows UEFI CA 2023 Certificate firmware key management — some enterprise platforms support vendor tools for persistent DB changes; others require manual entry via UEFI specific.

Troubleshooting: common failure modes and recovery steps​

• Verify the issue with the supported PowerShell checks and examine Task Scheduler and Event Log entries. Use Confirm-SecureBootUEFI and export DB blobs for evidence.
• Check the firmware vendor and current UEFI/BIOS version. If an OEM update is available that injects the 2023 CA, apply it in a controlled window.
• If firmware refuses OS-initiated writes (cmdlets return access denied or a mismatch), use vendor tools or the firmware setup UI to add the certificate where supported.
• If a device becomes unbootable or shows persistent boot errors after attempted updates:
• Boot to updated WinRE/WinPE media signed (or rebuilt) with the 2023 CA when possible.
• Use Startup Repair or known working system images.
• If firmware corruption is suspected, coordinate with vendor support for a reflash — warn technicians that improper flashing can brick devices.
• Maintain rollback images and documented recovery playbooks. Test recovery steps in your lab before attempting them on production endpoints.

Linux and dual‑boot considerations​

• If you run dual‑boot or Linux images in your estate, validate that the shim and other EFI binaries used by your distro are compatible with the new CA and test the entire boot flow after the update.
• For VMs and nested virtualization, check the hypervisor/OVMF images — these may need updates to include the 2023 CA to allo Boot without host-side modifications.

Special cases: servers, Cloud PC images, air‑gapped systems​

• Servers: Microsoft’s Windows Server guidance emphasizes planning and manual orchestration; servers are not automatically guaranteed to receive the same telemetry‑gated rollouts as date boot images, pre‑boot recovery media, and test feature upgrade flows that exercise Safe OS dynamic updatetps://www.microsoft.com/en-us/windows-server/blog/2026/02/23/prepare-your-servers-for-secure-boot-certificate-updates/)
• Cloud PC / Windows 365: Cloud PC images and provisioning flows must be updated ahead of expiration. Microsoft’s Cloud PC guidance calls out managed images and provisioning behaviors that need icrosoft.com]
• Air‑gapped / regulated systems: These endpoints require a manual refresh path. Options include rebuilding recovery images signed for the new CA, working with OEM firmware teams to inject keys, or, in the worst case, platform replacement or ESU enrollment where available.

Communication, policy and staffing​

• Update your change calendar and treat this like any major cryptographic or firmware maintenance event windows, staging, and verification gates.
• Train helpdesk staff with short runbooks: how to run the PowerShell checks, how to interpret key Event IDs, and how to perform safe BIOS updates with vendor instructions.
• Prepare customer‑facing communications that explain potential symptoms (e.g., repeated restart loops, WinRE prompting) and the actions being taken to avoid unnecessary escalations.
• Beware of third‑party “one‑click” fixes and phins attention; use only Microsoft KBs and OEM support tools.

Step‑by‑step quick checklists​

For home users and single‑device admins​

• Install all pending Windows updates and restart the mactechcommunity.microsoft.com]
• Run PowerShell (Admin): Confirm-SecureBthe DB match for 'Windows UEFI CA 2023'.
• Open Task Scheduler → Microsoft → Windows → PI → Secure-Boot-Update and confirm recent successful runs.
• If the new CA is absent and no Windows update fixes it, check the OEM support site for firmware updates and follow vendor instructions.

For IT teams and enterprise​

• Inventory Secure Boot status and certificate presence across the estate via Intune, ConfigMgr, or PowerShell reporting.
• Pilot on representative hardware families — include servers and Cloud PCE and Setup flows with Microsoft’s Safe OS Dynamic Updates.
• Coordinate OEM firmware updates for models‑level injections. Maintain vendor contacts and test recovery images before mass deployment.
• Roll out in waves, monitor Event IDs and Task Scheduler outcomes, and prepare manual remediation teams for target families that remain non‑compliant.

Known unknowns and where to be cautious​

• The rollout is telemetry‑gated for many hardware families: Microsoft stages updates based on signals of successful installs. Don’t assume a later arrival; proactively test high‑risk systems.
• OEM firmware variability is real. The exact persistence model ffers by vendor and firmware version. Treat vendor documentation as authoritative for each model.
• Some edge cases reported in community threads show older or non‑standard firmware rejecting updates; those machines may need vendor engagement or hardware replacement. Flag and track those units early.
• If you run software signed only with the 2011 chain (rare but possible for custom boot components), re‑signing or vendor updates may be required. Test all imaging and provisioning artifacts used in your estate.

Final assessment and practical takeaways​

• For most consumer devices from active OEM lines that receive Windows Update, the update path is automatic and low‑effort: apply updates, reboot, run the simple PowerShell checks, and you’re likely done.
• For enterprises and administrators: treat this as a scheduled maintenance event. Inventory, pilot, test recovery media, coordinate firmware updates with OEMs, and prepare targeted remediation for servers, air‑gapped machines, unsupported Windows 10 devices, and custom imaging systems.
• If you encounter devices that do not accept the 2023 CA, collect evidence (export DB blobs, Task Scheduler results, Event Log entries), escalate to vendor support, and follow vendor recovery steps.