Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
shend141's avatar
shend141
Copper Contributor
Feb 05, 2026

Get-UEFICertificate -Type KEK shows 2 Microsoft KEKs:-


CN=Microsoft Corporation KEK 2K CA 2023 = expiry date 2038

CN=Microsoft Corporation KEK CA 2011 = expiry date 2026

Do we just ignore the 2011 KEK?

mihi's avatar
mihi
Copper Contributor
Feb 05, 2026

The 2011 KEK can be ignored, it has no impact on security (assuming Microsoft does not get breached and leaks the private key to it :-D). Same applies to additional (expired) KEKs from your OEM, if present.