Secure Boot Certificates Expire June 2026 — What MSPs Need to Do Now

Microsoft published a Secure Boot playbook for certificate expiration that every IT admin and MSP needs to read. The 2011 Secure Boot certificates that have been validating boot integrity on nearly every Windows PC shipped in the last 15 years are expiring. If your devices don't have the replacement 2023 certificates installed, they could eventually fail to boot.

This isn't a theoretical risk. Microsoft has stated that once the old certificates expire, they could push a DBX (forbidden signature database) update that actively revokes them — bricking any device that hasn't been updated.

The Timeline

Now

Inventory & prepare devices

Jun 2026

KEK CA 2011 & UEFI CA 2011 expire

Oct 2026

Windows Production PCA 2011 expires

After Oct 2026

Microsoft may revoke old certs via DBX

Which Certificates Are Affected?

Certificate	Expires	Replacement
KEK CA 2011	June 2026	KEK CA 2023
UEFI CA 2011	June 2026	UEFI CA 2023
MS Windows Production PCA 2011	October 2026	Windows UEFI CA 2023

Devices manufactured since 2024 likely already have the 2023 certificates. Anything older — which is most of your fleet — needs to be updated.

How to Check Your Devices

Microsoft provides a registry key to check the update status on each device:

Registry Check

UEFICA2023Status

Check HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot for the UEFICA2023Status value. If it reads "updated", that device is good. Anything else needs attention.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name UEFICA2023Status

If you're managing devices through Microsoft Intune, you can use the Windows Autopatch Secure Boot status report to see which devices across your fleet have been updated and which haven't.

Four Ways to Deploy the New Certificates

Option 1 — Recommended

Microsoft Intune

If you're already managing devices through Intune, this is the cleanest path. Three settings to configure:

Enable SecureBoot Certificate Updates — turns on the deployment mechanism
Configure Microsoft Update Managed Opt In — enrolls devices in the controlled rollout
Configure High Confidence Opt-Out — controls whether high-confidence devices auto-update

This is the method we use for all TenantIQ-managed clients.

Option 2

Registry Key (Manual or GPO)

Set AvailableUpdates to 0x5944 at:

HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot → AvailableUpdates = 0x5944

Option 3

Group Policy

Navigate to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and set "Enable Secure Boot certificate deployment" to Enabled.

Option 4

Windows Configuration System (WinCS)

For Windows 11 25H2, 24H2, and 23H2 domain-joined devices, use the WinCS feature Feature_AllKeysAndBootMgrByWinCS with key value F33E0C8E002.

Critical Things to Know

OEM firmware updates first. Before deploying the new certificates, make sure devices have the latest BIOS/UEFI updates from the manufacturer. The new certificates need compatible firmware to work.
Allow 48+ hours. The certificate update process requires multiple restarts and can take up to 48 hours to fully apply. Don't panic if the registry key doesn't update immediately.
Don't mix methods. Pick one deployment method per device. Running Intune and GPO simultaneously can cause conflicts.
Troubleshoot with Event ID 1808. A successful deployment logs Event ID 1808. If you see Event ID 1795, that's a firmware handoff error — contact the OEM.
Check UEFICA2023Error. If the update stalls, the UEFICA2023Error registry key will tell you why. A value of 0x4104 means KEK deployment is stuck.

What This Means for MSPs

If you manage devices for multiple clients, this is a fleet-wide operation that needs to start now — not in May when everyone panics. Here's the MSP playbook:

Inventory immediately. Run the registry check across all managed devices. Know your numbers: how many are updated, how many aren't, how many have Secure Boot disabled.
OEM firmware sweep. Push firmware updates through Intune or WSUS before deploying certificates. Dell, HP, and Lenovo all have Intune-deployable BIOS update packages.
Deploy via Intune. Use the three Intune settings to enable certificate deployment across all clients. This is the only method that scales across a multi-tenant MSP practice.
Monitor and report. Use the Autopatch Secure Boot report or custom compliance policies to track deployment progress. Include this in your next QBR.
Communicate proactively. Send clients a brief explaining the deadline and what you're doing about it. This is a trust-building moment.

The full Microsoft playbook with detailed instructions for every scenario is available at aka.ms/GetSecureBoot

Don't wait for June. The devices that will cause problems are the old ones — the machines that haven't been rebooted in weeks, the server in the closet nobody touches, the laptop the CEO uses once a month. Those are the ones that won't have the update, and they're the ones that will hurt the most when they stop booting.

Need help with Secure Boot certificate deployment?

Our Intune Baseline includes Secure Boot certificate deployment along with 9 other security policies. We can audit your fleet, push firmware updates, and deploy the 2023 certificates across all your devices.

Schedule Free Assessment →

Secure Boot Certificates Expire June 2026 — Your Devices Could Stop Booting