Secure Boot certificates expire June 2026: what Hawaii businesses must do before the deadline

Published June 8, 2026 · HI Tech Hui · ~6 min read

Why this matters for Hawaii businesses

Secure Boot is the firmware control that stops a tampered or malicious bootloader from loading before Windows even starts. It works because your system firmware trusts a small set of Microsoft certificates baked in at the factory. Those certificates were issued in 2011, and after roughly 15 years they are reaching end of life. Microsoft has been clear about the timing: “After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026” (Microsoft Support, KB5062710).

The reason this belongs on an executive’s radar — not just an engineer’s — is the failure mode. Nothing breaks loudly on the deadline. Microsoft confirms that “devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install” (Microsoft Support). The cost is invisible: those devices “will no longer be able to receive new security protections for the early boot process,” including updates to Windows Boot Manager, the Secure Boot databases, and revocation lists. A server in that state is exposed to the next boot-level vulnerability with no path to a fix — and you will not get an alert telling you so.

What is actually expiring

This is not a single certificate swap. Microsoft is rotating several certificates on different dates, and the 2011 UEFI CA is being split into two 2023 certificates for “finer control over system trust” (Microsoft Support):

• Microsoft Corporation KEK CA 2011 — expires June 24, 2026. This Key Exchange Key is what authorizes updates to your Secure Boot allow and deny lists; it is replaced by Microsoft Corporation KEK 2K CA 2023.
• Microsoft UEFI CA 2011 — expires June 27, 2026. It signs third-party UEFI components and is replaced by two certificates: Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023.
• Microsoft Windows Production PCA 2011 — expires October 19, 2026. It signs the Windows bootloader and is replaced by Windows UEFI CA 2023.

The June dates are the near-term forcing function. The October date matters too, but the KEK is the linchpin: once it lapses, the channel that pushes new boot-list entries to a device is gone, so prioritize getting the 2023 KEK in place first.

Clients update themselves — servers do not

This is the single most important operational distinction, and it is where unmanaged fleets get caught. Microsoft delivers the new certificates to most Windows client PCs automatically: “Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed” (Microsoft Support). Many PCs built since 2024 already shipped with the 2023 certificates.

Windows Server is the exception. It does not receive the 2023 certificates through the automatic client rollout, so for any server that does not already include them, an administrator has to apply them deliberately. Microsoft publishes a dedicated Windows Server Secure Boot playbook for exactly this case. Treat domain controllers, Hyper-V hosts, and any bare-metal Windows Server as manual work items, not “it’ll sort itself out” assets.

The readiness check we run for clients

1. Inventory what runs Secure Boot. Build a list of Windows clients and, separately, every Windows Server instance — physical and virtual. The server list is your manual-action queue.
2. Confirm clients are actually pulling updates. Automatic only helps devices that are connected and patching. For organization-managed PCs, Microsoft provides a Group Policy control under Computer Configuration > Administrative Templates > Windows Components > Secure Boot to enable certificate deployment (Microsoft Support). Devices that are offline, behind on updates, or excluded from patch rings will not self-heal.
3. Service your servers by hand. Work through Microsoft’s Windows Server playbook to apply the 2023 KEK and DB certificates, and obtain any required OEM firmware updates so the certificates apply cleanly.
4. Verify, then watch the indicator. Starting in 2026, Windows surfaces certificate status in the Windows Security app under Device security > Secure Boot — a quick visual confirmation that a device is current (Microsoft Support).

Pitfalls that trip teams up

• Do not disable Secure Boot. It is tempting as a “make the warning go away” move, but Microsoft warns it removes protection against boot-level malware and can erase the updated certificates. If it is on, leave it on.
• OEM firmware can be a prerequisite. Some devices need a manufacturer firmware update before the new certificates apply correctly — budget time for vendor patches, not just Windows Update.
• Virtual machines count. UEFI-based VMs and their hosts have Secure Boot too. Don’t inventory only laptops and physical servers.
• Compliance dependencies. Microsoft notes that over time, missing updates “may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening.” If you attest to disk encryption or boot integrity for an audit, this is in scope.

Where this fits in your security roadmap

This is fundamentally a lifecycle and patch-discipline problem, which is why the same fleet visibility that drives our CISA KEV patching SLA approach applies here: you can only update what you can see. It also rhymes with the end-of-support planning in our Windows 10 ESU year-one plan — both are cases where a hard vendor date quietly degrades security unless someone owns the calendar. The work is not hard; the risk is that no one is assigned to it.

FAQ for executives

Is there a cost to this?

For most client PCs, no — the certificate updates arrive through normal Windows Update at no added license cost. The cost is labor: inventorying the fleet and manually servicing each Windows Server, plus any OEM firmware updates. For a small business with a handful of servers, that is a contained project; for a regulated firm with audit obligations, it is worth documenting.

How urgent is this really if devices keep booting?

The urgency is about exposure, not uptime. After the June dates, an un-updated device cannot receive future boot-chain security fixes or revocations. If a boot-level vulnerability is disclosed later in 2026, prepared devices get protected and the rest stay exposed indefinitely. Doing the work before the deadline keeps every device on a path to future protection.

Sources

• Microsoft Support — Windows Secure Boot certificate expiration and CA updates (KB5062710)
• Microsoft Tech Community — Windows Server Secure Boot playbook for certificates expiring in 2026
• Microsoft Support — Secure Boot certificate update status in the Windows Security app

Not sure which of your servers still trust the 2011 certificates? HI Tech Hui provides managed IT and cybersecurity services — including fleet inventory, Secure Boot and firmware servicing, and 24/7 monitoring through our SOC. Contact us for a Secure Boot certificate readiness review.