Please see the following scheduled Microsoft change:
Date: June 2026 and October 2026
The following work is being completed: Several original Microsoft certificates used by the Secure Boot feature in Unified Extensible Firmware Interface (UEFI)-based firmware are nearing expiration. These certificates, stored in the Key Enrollment Key (KEK) and Secure Boot Signature Database (DB), have been in place since the introduction of Secure Boot with Windows 8.
All affected groups: Technical support staff responsible for device security, firmware updates, and hardware lifecycle management
All affected processes: If the certificates expire, Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders which may compromise serviceability and security.
Duration of impact: This is a permanent, Microsoft-driven change.
Necessary follow-up steps: To continue running Windows and receiving regular updates for Secure Boot configurations, the following UEFI Secure Boot DB and KEK must be updated with the corresponding new 2023 certificate versions:
| Expiring Certificate | Expiration Date | New Certificate | Storing Location |
| Microsoft Corporation KEK CA 2011 | June 2026 | Microsoft Corporation KEK CA 2023 | Stored in KEK |
| Microsoft Windows Production PCA 2011 | October 2026 | Windows UEFI CA 2023 | Stored in DB |
| Microsoft UEFI CA 2011 | June 2026 | Microsoft UEFI CA 2023 | Stored in DB |
| Microsoft UEFI CA 2011 | June 2026 | Microsoft Option ROM CA 2023 | Stored in DB |
Additional information:
- Frequently Asked Questions about Secure Boot Update Process
- Windows Secure Boot Certificate Expiration Updates
Questions? Please contact Crimson Service Desk at crimsonservicedesk@wsu.edu or 509-335-4357.