Event details
Is June 24, 2026 (the expiration date of the old KEK) a hard deadline?
After this date, will the procedure for deploying the new certificates to the DB and signing the boot manager with the new certificate no longer work?
Or will it still be possible after June 24 by using the registry entry together with running the scheduled task?
MicrosoftYes, the KEK certificate expires on that date, Microsoft UEFI CA 2011 expires on June 27th and Microsoft Windows Production PCA 2011 on October 19, 2026. These are hard deadlines.
The procedure for updating the certificates does not change after the certificates begin expiring. What changes is for the ability of the device to get security updates to the boot level components.
When Secure Boot certificates expire on Windows devices - Microsoft Support
Thank you for the clarification. Just to make sure I understand everything correctly:
If, for example, I power on a “forgotten” computer in December 2026 that still contains the old certificates, will I still be able to perform the certificate update procedure on it without issues, so that the device can continue receiving security updates for boot components?
Am I understanding this correctly?- Arden_White
Yes, you are correct.
The updates are signed with the expiring certificates - the ones the device already trusts. The device firmware does not care that the certificates have expired and will accept the updates after the certificates have expired. The need for renewing the certificates is for proper PKI (Public Key Infrastructure) practices to keep devices secure.