Microsoft’s Windows Production PCA 2011 certificate—the cryptographic root that underpins Secure Boot on billions of PCs, servers, and virtual machines—will irrevocably expire on June 19, 2026. Without proactive intervention, devices that rely on this certificate to validate bootloaders and operating system components will refuse to start, throwing users into recovery loops or bricking systems entirely. IT administrators have a tight, phased window to deploy the replacement Windows UEFI CA 2023 certificate before the hard deadline, and Microsoft is urging immediate action in June 2026 to complete the rollout.

The clock isn’t just ticking on the Production PCA. A companion certificate, the Microsoft UEFI CA 2011, expires just 11 days later on June 30, 2026. Together, these certificates sign virtually every piece of boot software that has ever run under Secure Boot on Windows, Linux, and hypervisor platforms. Their sunset is the culmination of a multi-year plan to modernize the UEFI certificate infrastructure, but the final push now lands squarely on enterprise IT teams.

The Backbone of Boot Security

Secure Boot, a UEFI firmware feature, enforces that only code signed with a trusted certificate can run during the boot process. When a PC switches on, the firmware checks each executable—option ROMs, boot manager, OS loader—against a database of allowed signatures. If a binary isn’t signed by a certificate in the firmware’s “db” store, the boot halts. The Windows Production PCA 2011 and the UEFI CA 2011 have been the dominant trust anchors for over a decade, baked into motherboard firmware by OEMs and accepted universally in the ecosystem.

Microsoft intentionally limited the validity of these certificates when they were created. The 2026 expiration date was never a secret, but the reality of updating firmware on millions of heterogeneous devices has made the transition one of the most complex IT projects in recent memory. The new Windows UEFI CA 2023 certificate was introduced in early 2023 and has been slowly percolating through Windows Update and OEM firmware builds ever since.

What Actually Expires in June 2026

Two distinct but overlapping certificates go dark:

  • Microsoft Windows Production PCA 2011 – expires June 19, 2026. This certificate lives in the UEFI Secure Boot signature database (db) and directly signs bootloaders, including bootmgfw.efi and the Windows Boot Manager.
  • Microsoft UEFI CA 2011 – expires June 30, 2026. This is a certificate authority (CA) that can sign other third-party UEFI executables shown payloads, such as Linux shim loaders or hypervisor boot code. It also appears in the db store.

After these dates, any boot application signed exclusively by the expired certificates will fail signature verification. The firmware will treat the load attempt as a security violation, leaving the system stuck at a “Boot Device Not Found” or similar error screen. Notably, the issue isn’t limited to Windows—Linux distributions that use the Microsoft-signed shim bootloader are equally affected.

The Three-Phase Rollout Strategy

Microsoft structured the deployment of the Windows UEFI CA 2023 into three distinct phases, each gated by specific update behavior:

Phase 1 – Hydration (Testing)

Began February 2023

The new certificate was pushed to devices via Windows Update but only “hydrated” the UEFI revocation list (dbx). It did not yet enforce signing with the new CA. This phase allowed Microsoft and OEMs to verify compatibility without breaking boot. Devices that received the update silently stored the new cert, ready for activation.

Phase 2 – Optional Enforcement

Since July 2024

Through the update KB5025885, Microsoft enabled a manual opt-in to enforce the new certificate on Windows 11 and Windows 10 (version 20H2 or later). IT admins could use Group Policy or registry keys to activate “Secure Boot Forbidden Signature Database (DBX) update activation.” When combined with the new firmware that included the Windows UEFI CA 2023 in the db store, the system would start preferring the new CA. However, the expired certs remained valid as a fallback.

Phase 3 – Mandatory Enforcement

June 2026 onward

Post‑expiration, every Secure Boot–enabled device must have the Windows UEFI CA 2023 in its db store and must have revoked trust in the expired PCA 2011. Microsoft will issue a final dbx update that adds the old certs to the forbidden list, making any boot code signed solely by them inoperable. This update will be delivered through Windows Update, but only to devices whose firmware already contains the new certificate. Devices that lack the CA 2023 in firmware will not receive the revocation update, but they will still fail to boot once the OS bootloader is updated to the new signing certificate—creating a silent deadlock.

The IT Administrator’s Checklist

For enterprise environments, the June 2026 milestone is not a day-one panic; it’s a validation checkpoint. By now, organizations should have already completed the following:

  • Audit UEFI firmware versions across the fleet. Use tools like Dell Command Update, HP Image Assistant, Lenovo System Update, or Microsoft’s own Surface firmware management to identify devices with firmware older than 2023.
  • Deploy the KB5025885 update (or its successors) to all supported Windows endpoints. This update includes the Windows UEFI CA 2023 in the Secure Boot signature database for the UEFI variable space.
  • Use Group Policy or Intune to enable the “Secure Boot posture update” setting. The ADMX policy path is Computer Configuration > Administrative Templates > System > Device Guard > Turn On Secure Boot Forbidden Signature Database Update. In Intune, this maps to the Device Guard CSP.
  • Test boot scenarios on representative hardware, especially on servers and hypervisors (VMware ESXi, Hyper‑V, Proxmox) where UEFI firmware updates may lag behind client devices.
  • Plan for virtual machine updates. Generation 2 VMs in Hyper‑V and KVM‑based VMs with UEFI emulate the platform; their virtual firmware must likewise include the new CA. For Hyper‑V, updating the host to Windows Server 2025 or applying the latest cumulative update to Windows Server 2022 will refresh the VM’s UEFI variables. For other hypervisors, check vendor guidance.
  • Address Windows Server and Azure Stack HCI. These SKUs share the same boot architecture. The update path is identical, but server administrators often defer firmware updates due to uptime concerns. Schedule maintenance windows now.
  • Don’t forget Linux dual-boot or WSL2 systems. If your environment uses Secure Boot with a Linux distribution that consumed the Microsoft UEFI CA 2011, you must update shim and grub to versions signed with the new CA. Most distributions have already shipped these updates; ensure they are installed.

What Happens If You Do Nothing

The consequences of inaction are severe and will not be mitigated by Safe Mode or startup repair. On a consumer PC that lacks the new certificate, the boot sequence unfolds like this:

  1. UEFI firmware loads bootmgfw.efi from the EFI system partition.
  2. The firmware checks the signature. bootmgfw.efi is signed with both the old PCA 2011 and the new CA 2023. If the firmware does not recognize the CA 2023, it falls back to the PCA 2011.
  3. After June 19, 2026, the firmware considers the PCA 2011 expired and invalidates the signature.
  4. Because no valid signature chain exists, Secure Boot rejects the file and aborts.
  5. The PC displays a generic “Secure Boot Violation” or “Invalid signature detected” error, with no option to bypass.

Even if the OS were to somehow load, the next Windows Update cycle would push the dbx revocation that blacklists the old PCA, creating a boot-time brick on the next restart. Recovery requires disabling Secure Boot entirely—a manual firmware toggle that many enterprise laptops lock down—or booting from recovery media, neither of which is scalable.

For IT-managed fleets, the risk is multiplied by the number of endpoints. The only recourse would be an emergency firmware flash from a USB key on every affected device, a logistical nightmare.

OEM and SoC Vendor Readiness

Major OEMs began shipping firmware with the Windows UEFI CA 2023 as early as 2022, but the rollout has been uneven. Dell, HP, and Lenovo have published whitepapers and firmware update schedules. Generally, any business-class PC shipped with Windows 11 version 22H2 or later should already have the new certificate in firmware, but older models that upgraded from Windows 10 may not. Check the firmware release notes for the string “Windows UEFI CA 2023” or “Secure Boot certificate update.”

System-on-Chip vendors like Qualcomm (for Windows on Arm) and AMD have integrated the CA into their reference firmware images, but downstream device manufacturers sometimes lag. For self-built systems or white-box hardware, the responsibility falls on the motherboard maker; many gaming and enthusiast boards still rely on 2021-era firmware images.

The Virtualization Caveat

Virtual machines present a unique challenge because their “firmware” is software. In Hyper‑V, UEFI variables are stored in a file (vmguest.vmcx), and Microsoft updates this file through Windows Update on the host. However, if a VM has been checkpointed or migrated, the update may not apply correctly. Administrators must manually verify the presence of the 77fa9abd-0359-4d30-b60d-14a4f42d585d signature owner GUID in the VM’s EFI variables.

For VMware ESXi, the situation depends on the virtual hardware version and the guest OS. ESXi 8.0 U2 and later include the new Microsoft certificate in the virtual UEFI firmware. Older versions require a manual firmware flash or an upgrade of the VM compatibility level. Nutanix AHV and other KVM-based hypervisors typically follow the upstream OVMF project, which incorporated the CA 2023 in early 2024. Consult your vendor’s knowledge base.

The Linux and Open-Source Angle

The Microsoft UEFI CA 2013 was never exclusive to Windows. Many Linux distributions signed their bootloaders with the Microsoft UEFI CA 2011 to achieve broad hardware compatibility without requiring users to import custom keys. The shim loader acts as an intermediary, validating the distribution’s kernel and initrd using its own embedded certificate while relying on the Microsoft CA to pass Secure Boot on the hardware.

After June 30, 2026, shim versions signed only with the UEFI CA 2011 will fail. The community responded swiftly: shim 15.7 and later are dual-signed with the CA 2023, and all major distributions (Ubuntu 24.04, Fedora 39+, RHEL 9.2+) include updated packages. However, deployments that have pinned older shim binaries for compatibility reasons will need to re-sign or update. IT shops running secure-boot-enabled Linux servers should execute mokutil --list-enrolled to check for the new CA.

Microsoft’s Official Guidance and Tools

Microsoft has documented the transition in extensive technical detail:

  • KB5025885 – “How to manage the Windows UEFI CA 2023 for Secure Boot” provides step-by-step Group Policy and registry instructions.
  • Microsoft Defender for Endpoint can report on Secure Boot status and certificate inventories through the device timeline.
  • Windows Update for Business rings should be configured to accelerate the deployment of the final dbx update once it ships.
  • Microsoft Intune offers a configuration profile template under Endpoint security > Account protection to enforce Secure Boot settings and monitor compliance.

For the rare case where a critical system cannot be updated in time, Microsoft suggests a short-term mitigation: disable Secure Boot in the UEFI setup. This removes the signature check entirely, allowing the system to boot, but obviously degrades security. The option should only be used as a temporary bridge while firmware updates are organized.

Looking Beyond June 2026

The expiration of the 2011 certificates closes a chapter on the original Secure Boot trust model. The new Windows UEFI CA 2023 has a validity period extending to 2045, giving the industry a much longer runway. More importantly, the shift forced the entire ecosystem—OEMs, hypervisor vendors, Linux distributions—to overhaul their firmware update pipelines. The result is a more resilient infrastructure where certificate rollovers are no longer a once-in-a-decade panic.

For IT professionals, the immediate lesson is the importance of firmware lifecycle management. UEFI firmware is no longer a static ROM; it’s now a dynamic, updateable component that must be patched as regularly as the OS itself. Tools like Dell Command Update, HP Image Assistant, and Windows Autopatch should be integrated into the monthly security rhythm.

The June 2026 deadline is not an end, but a checkpoint. Organizations that have already completed the phased rollout can attest to the quiet simplicity of a well-executed certificate transition. For those still scrambling, the next 90 days are critical.