Blog Post

Windows IT Pro Blog
7 MIN READ

Act now: Secure Boot certificates expire in June 2026

Ashis_Chatterjee's avatar
Ashis_Chatterjee
Icon for Microsoft rankMicrosoft
Jun 26, 2025
Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expi...
Updated Jul 08, 2025
Version 3.0
security
servicing and updates
windows 10
windows 11
JMittes's avatar
JMittes
Copper Contributor
Nov 21, 2025

Hi togehter,

We run Windows Server on Hypervisor VMWARE version 8, latest version.  In this case, it is a Windows Server 2016 with all Windows updates installed.

For Secure Boot certificates expiring in 2026, we have now tried this on a test server that has been in existence for several years.

We have set the registry entry for Available Updates to the value 0x5944. We have restarted the server several times.

Now the following is evident.
If I have understood the Microsoft articles correctly. (Screenshots below)

  • Updates for DBX und DB are updated.
    In opened efi file I see the new files.
  • Uefi Secure boot Certs Looks following.
  • The Certs are up to date except for the KEK.
  • Status of UEFICA2023Status => InProgress
  • UEFI2023Error => 800703e6

 

The question now arises as to whether this is sufficient in this constellation after the certificates expire, or whether boot problems will arise.  In other words, how can the KEK be replaced, and is this absolutely necessary to ensure that Secure Boot still works after the old certificates expire in 2026, or will problems arise with a virtual Windows server on HyperVisor.

 

TIA for some input.

Also thx Gunnar-Haslinger​  for the Script.

br
Johannes