Please see the following scheduled Microsoft change:
Date: June 2026 (An exact date is not available for WSU’s Microsoft environment.)
The following work is being completed: Several original Microsoft certificates used by the Secure Boot feature in Unified Extensible Firmware Interface (UEFI)-based firmware will expire. If the certificates expire, Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders which may compromise serviceability and security.
All affected groups: Technical support teams responsible for device security, firmware updates, and hardware lifecycle management
All affected processes:
- The following certificates will expire:
- Microsoft Corporation KEK Certificate Authority (CA) 2011
- Microsoft UEFI CA 2011
- Impacted certificates are stored in the Key Enrollment Key (KEK) and Secure Boot Signature Database (DB).
Duration of impact: This is a permanent, Microsoft-driven change.
Necessary follow-up steps: Teams should update the following certificates with their corresponding 2023 certificate versions:
| Expiring Certificate | New Certificate | Storing Location | Purpose |
|---|---|---|---|
| Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK CA 2023 | Stored in KEK | Signs updates to DB and Secure Boot Revoked Signature Database (DBX) |
| Microsoft UEFI CA 2011 | Microsoft UEFI CA 2023 | Stored in DB | Signs third-party boot loaders and EFI applications |
| Microsoft UEFI CA 2011 | Microsoft Option ROM CA 2023 | Stored in DB | Signs third-party option ROMs |
Additional information:
- Secure Boot Update Process Frequently Asked Questions
- Windows Secure Boot Certificate Expiration Updates
Questions? Please contact Crimson Service Desk at crimsonservicedesk@wsu.edu.