Blog Post

Windows IT Pro Blog
8 MIN READ

Secure Boot playbook for certificates expiring in 2026

Ashis_Chatterjee's avatar
Ashis_Chatterjee
Icon for Microsoft rankMicrosoft
Nov 13, 2025
Have questions? Join the Secure Boot Ask Microsoft Anything (AMA), December 10 at 8:00 AM PST. The first set of tools and steps are now available to help you proactively update your Secure Boot...
Updated Dec 04, 2025
Version 6.0
servicing and updates
MIJ2021's avatar
MIJ2021
Copper Contributor
Nov 21, 2025

Hi togehter,

 

We run Windows Server on Hypervisor VMWARE version 8, latest version.  In this case, it is a Windows Server 2016 with all Windows updates installed.

For Secure Boot certificates expiring in 2026, we have now tried this on a test server that has been in existence for several years.

We have set the registry entry for Available Updates to the value 0x5944. We have restarted the server several times.

Now the following is evident.
If I have understood the Microsoft articles correctly. (Screenshots below)

  • Updates for DBX und DB are updated.
    In opened efi file I see the new files.
  • Uefi Secure boot Certs Looks following.
  • The Certs are up to date except for the KEK.
  • Status of UEFICA2023Status => InProgress
  • UEFI2023Error => 800703e6

 

The question now arises as to whether this is sufficient in this constellation after the certificates expire, or whether boot problems will arise.  In other words, how can the KEK be replaced, and is this absolutely necessary to ensure that Secure Boot still works after the old certificates expire in 2026, or will problems arise with a virtual Windows server on HyperVisor.

 

TIA for some input.

Also thx Gunnar-Haslinger​  for the Script.

br

Johannes