Microsoft has issued a critical warning to Windows 11 users and IT administrators: Secure Boot certificates rooted in the 2011 Microsoft Corporation UEFI CA are set to expire in June 2026, with a secondary wave of expirations targeting the Windows Production PCA 2011 certificate in 2027. Left unpatched, systems will fail to boot or lose critical security protections. The clock is ticking—and the May 2026 cumulative update serves as the final gate before the June cutoff.
Secure Boot is a fundamental UEFI firmware security feature that validates the integrity of bootloaders and operating system loaders by checking their digital signatures against a database of trusted certificates. Since Windows 8, Microsoft has relied on a chain of trust anchored by the Microsoft Corporation UEFI CA 2011 certificate, which vouches for the Windows Production PCA 2011 certificate. That PCA, in turn, signs boot components like bootmgr.efi and the Windows kernel. Both certificates have a limited validity period, and their expiration requires a coordinated update across firmware, operating system, and update mechanisms.
Understanding the Expiring Certificates
Two critical certificates are involved:
- Microsoft Corporation UEFI CA 2011: Expires June 18, 2026. This is the root certificate embedded in UEFI firmware’s Secure Boot signature database (db). It authorizes the Windows Production PCA 2011.
- Microsoft Windows Production PCA 2011: Expires October 19, 2027. This intermediate certificate directly signs Windows boot components.
The June 2026 expiration is the most urgent because it immediately breaks the trust chain. Even if the Production PCA is still valid, a system with only the 2011 UEFI CA will reject any bootloader signed by that PCA because the root authority has expired. Microsoft began rolling out replacement certificates—the Microsoft Corporation UEFI CA 2023 and Microsoft Windows Production PCA 2023—via Windows Update as early as February 2024. By May 2026, the final push ensures every supported Windows 11 device has the new certificates installed both in the UEFI db and in the boot configuration.
What Happens If You Miss the Deadline
After the June 2026 expiration, a PC that hasn’t received the updated certificates will exhibit one of these behaviors:
- Boot Failure: The UEFI firmware will refuse to load the Windows boot manager because its signature chains to an expired root CA. You’ll typically see a “Boot Device Not Found” or “Invalid Signature Detected” error.
- BitLocker Recovery: If BitLocker is enabled, the system may enter recovery mode, demanding a lengthy 48-digit recovery key. This happens because Secure Boot state changes (from enforced to disabled) are detected as a potential attack, sealing the TPM.
- Disablement of Virtualization-Based Security: Features like Credential Guard and Hypervisor-Enforced Code Integrity (HVCI) rely on Secure Boot. Without it, these protections turn off, increasing the attack surface.
Enterprises with thousands of machines could face a widespread outage if the update isn’t deployed in time. Even home users who postpone updates risk being locked out of their PCs, potentially requiring manual intervention via UEFI settings or a clean install.
Checking Your System’s Readiness
Microsoft provides several ways to verify that your device has the 2023 certificates installed:
- System Information (msinfo32.exe): Open System Information, navigate to “System Summary,” and look for “Secure Boot State.” It should say “On.” Additionally, check “PCR7 Configuration”; if it says “Binding Possible,” the necessary certificates are present.
- PowerShell Command: Run the following as Administrator:
powershell Get-SecureBootUEFI -Name SetupMode Get-SecureBootUEFI -Name db | Format-List *
Look for entries that include “Microsoft Corporation UEFI CA 2011” and “Microsoft Corporation UEFI CA 2023” in the db list. Both should appear, but after the June 2026 deadline, only the 2023 CA will be needed. - Windows Update History: KB5025885 and subsequent updates delivered the Secure Boot DB update. Check for its successful installation under Settings > Windows Update > Update history > Driver updates.
IT administrators can audit fleets using Microsoft Intune, Configuration Manager, or Windows Update for Business reports. A compliance posture assessment against the “Secure Boot DB update” update ID will identify lagging devices.
How to Deploy the Update
The Secure Boot certificate update is delivered via two distinct packages:
- Servicing Stack Update (SSU) / KB. The initial rollout came in a 2024 servicing stack update (KB5025885), which adds the new certificates to the UEFI’s Secure Boot db (the “dbx” trusted certificates store). It does not alter the boot configuration.
- Boot Manager Update. A subsequent update modifies the Windows boot configuration data (BCD) to enforce the use of the new Production PCA. This step is critical; without it, even a firmware with the 2023 CA might still trust the soon-to-be-expired 2011 PCA, leading to validation failures when the 2011 PCA expires.
For typical home users, Windows Update will handle both stages automatically. However, an additional reboot is often required to apply the firmware-level change. The system will prompt: “Restart to finish installing updates.” Ignoring this prompt leaves the old certificates in place.
Enterprise deployments should follow Microsoft’s guidance:
- Use a phased rollout: pilot on test devices, verify boot and BitLocker behavior, then expand.
- Check for UEFI firmware updates from OEMs. Dell, HP, Lenovo, and others have released BIOS updates that pre-populate the new certificates. Installing the latest firmware before May 2026 avoids relying solely on the Windows update mechanism.
- Configure Group Policy or Intune to mandate the installation of KB5025885 and its successors. The “Turn off offer to update to the latest version of Windows” policy does not gate security updates, so this certificate update will still be offered.
- Monitor the “UefiSecureBootDBUpdate” event log channel for status codes. Event ID 1793 indicates success; 1794 warns of issues.
The Timeline: Key Dates
| Date | Event |
|---|---|
| February 2024 | First release of Secure Boot DB update (KB5025885) to Windows 11 22H2/23H2. |
| August 2024 | Broad deployment phase begins; update becomes available via Windows Update for most devices. |
| May 2026 (Patch Tuesday) | Final cumulative update that includes the Secure Boot certificates as a mandatory, non-optional fix. Microsoft issues a support bulletin urging immediate action. |
| June 18, 2026 | Microsoft Corporation UEFI CA 2011 expires. Systems not updated cease to boot. |
| October 19, 2027 | Microsoft Windows Production PCA 2011 expires. Though less critical if the UEFI CA 2011 is gone, it still requires that the 2023 Production PCA is trusted. |
BitLocker and Recovery Key Preparedness
Because the certificate update changes the Secure Boot configuration, the TPM may detect a “Secure Boot policy change” and request the BitLocker recovery key. Microsoft advises that the update process includes a suspend/resume of BitLocker to prevent this. However, faulty firmware implementations or unexpected interruptions can still trigger recovery. Before applying the update, ensure you have:
- BitLocker recovery keys backed up to Azure AD or a safe location.
- A plan for BitLocker recovery in Dsregcmd or via the Intune self-service portal.
- Mandatory post-update validation: log in, confirm Secure Boot is still on, and verify that BitLocker is not in suspended mode.
In the worst case, a machine that enters BitLocker recovery after the June 2026 deadline without the certificate update will need a clean OS installation. That means data loss if backups aren't available. The May 2026 window is the last chance to prevent this scenario.
Frequently Asked Questions
Does this affect Windows 10?
Yes, all supported versions of Windows 10 and 11 that use the 2011 certificates are affected. However, Windows 10 end of support is October 2025, so Microsoft likely focused the final push on Windows 11. Windows 10 systems still in use by May 2026 will need the same updates, but they may not be offered automatically if out of support.
What if my PC cannot receive firmware updates due to OEM discontinuation?
Devices with UEFI firmware that cannot be updated might still receive the Windows-based db update via KB. As long as the operating system can write to the UEFI Secure Boot variable store, the certificates can be added. Very old devices (2012-era) may lack this capability. Contact your OEM for guidance.
Can I manually install the certificates?
Advanced users can update the Secure Boot db using a UEFI shell or the Set-SecureBootUEFI PowerShell cmdlet. Microsoft strongly discourages this unless absolutely necessary due to the risk of bricking the device.
Will a Clean Install of Windows 11 24H2 include the new certificates?
Yes, installation media released after 2024 contains the updated boot manager and the Secure Boot DB update. However, if the UEFI firmware itself doesn’t have the 2023 CA, a clean install won’t fix the problem—the firmware must also be updated.
Looking Ahead: Avoiding Certificate Crisis Cycles
Secure Boot certificate expiration is not a one-off event. All certificates have finite lifetimes. Microsoft’s shift to shorter-lived certificates and a more agile update mechanism aims to prevent another “2011 to 2026” panic. The industry is moving toward automated certificate lifecycle management baked into firmware and operating systems. For now, the immediate lesson is clear: updates aren’t just about features or patches—they are the foundation of hardware-rooted security.
The May 2026 warning is an inflection point. Treat it with the same urgency as a zero-day Patch Tuesday release. Deploy the update, verify, and ensure every Windows 11 device enters July 2026 with Secure Boot intact and BitLocker silent. The alternative—a blue, unbootable screen—is not an option.