Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Apr 21, 2026
AMA
Arden_White's avatar
Arden_White
Icon for Microsoft rankMicrosoft
May 20, 2026

Yes, the KEK certificate expires on that date, Microsoft UEFI CA 2011 expires on June 27th and Microsoft Windows Production PCA 2011 on October 19, 2026. These are hard deadlines.

The procedure for updating the certificates does not change after the certificates begin expiring. What changes is for the ability of the device to get security updates to the boot level components.

When Secure Boot certificates expire on Windows devices - Microsoft Support

obmarek's avatar
obmarek
Occasional Reader
May 20, 2026

Thank you for the clarification. Just to make sure I understand everything correctly:

If, for example, I power on a “forgotten” computer in December 2026 that still contains the old certificates, will I still be able to perform the certificate update procedure on it without issues, so that the device can continue receiving security updates for boot components?

Am I understanding this correctly?

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    May 20, 2026

    Yes, you are correct.

    The updates are signed with the expiring certificates - the ones the device already trusts. The device firmware does not care that the certificates have expired and will accept the updates after the certificates have expired. The need for renewing the certificates is for proper PKI (Public Key Infrastructure) practices to keep devices secure.