Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
shend141's avatar
shend141
Copper Contributor
Feb 05, 2026

The Intune report “Secure Boot status” shows 1980 up-to-date, 2272 not up-to-date and 57 n/a.

This report shows my device is up-to-date, which tallies with the UEFICA2023Status reg key showing as “updated”, but Get-UEFICertificate -Type KEK still shows it expires 24/06/2026, even after multiple reboots.

We raised a Microsoft Premier Support ticket with the Intune team who advised Intune is working and we need to open a another ticket with the Windows team to investigate the expiry date still showing 2026 despite the reg key showing "Updated".

Is this expected behaviour and we should ignore the 2026 expiry date or is the reg key not reporting correctly please?

 

shend141's avatar
shend141
Copper Contributor
Feb 05, 2026

Get-UEFICertificate -Type KEK shows 2 Microsoft KEKs:-


CN=Microsoft Corporation KEK 2K CA 2023 = expiry date 2038

CN=Microsoft Corporation KEK CA 2011 = expiry date 2026

Do we just ignore the 2011 KEK?

  • mihi's avatar
    mihi
    Copper Contributor
    Feb 05, 2026

    The 2011 KEK can be ignored, it has no impact on security (assuming Microsoft does not get breached and leaks the private key to it :-D). Same applies to additional (expired) KEKs from your OEM, if present.