TL;DR: Microsoft's original 2011 Secure Boot certificates, including the Microsoft Corporation KEK CA 2011, begin expiring on June 24, 2026, fifteen years after issuance. Every Windows PC and VM produced since 2012 needs the new Windows UEFI CA 2023 and Microsoft Corporation KEK 2K CA 2023 deployed to its firmware before the deadline, or the device will lose the ability to install Secure Boot security updates and will stop trusting third-party software signed with the new certificates. For NC small businesses, this is a fleet-wide, firmware-level patching project, not a routine Windows Update.
Key takeaway: This is not a Windows feature change. It is a one-time, irreversible firmware certificate rotation that affects every Windows device built in the last 14 years. Miss it, and the affected machines silently lose boot-level security coverage.
Need a Secure Boot readiness review before June 24? Preferred Data Corporation can inventory your fleet, deploy the 2023 certificates, and verify each machine. Call (336) 886-3282 or request a Secure Boot readiness audit.
What is happening with Windows Secure Boot in June 2026?
Microsoft's first generation of Secure Boot certificates, issued in 2011, hit their 15-year expiration window starting June 24, 2026. Per Microsoft's Windows IT Pro blog, the affected certificates include the Microsoft Corporation KEK CA 2011 (expires June 24, 2026), the Microsoft Windows Production PCA 2011, and the Microsoft Corporation UEFI CA 2011. Microsoft has issued replacements: the Microsoft Corporation KEK 2K CA 2023 and the Windows UEFI CA 2023, which carry the trust chain forward.
The scope is essentially every modern Windows device. According to Microsoft Support's Secure Boot CA update guidance, all Windows PCs and virtual machines produced since 2012, when Secure Boot first shipped with Windows 8, store the 2011 certificates in their UEFI firmware key databases (KEK and DB). Those keys must be updated, in firmware, before the originals expire.
What happens when Secure Boot certificates expire?
Devices keep booting, but they stop receiving boot-level trust updates and lose the ability to verify new Microsoft-signed boot components. Microsoft's Secure Boot Playbook for 2026 is explicit: without the 2023 certificates installed, devices cannot install Secure Boot security updates after June 2026, and they will not trust third-party software (option ROMs, pre-boot agents, third-party bootloaders) signed against the new 2023 chain.
Windows Latest's coverage summarizes the practical outcome: an unpatched Windows 11 PC will keep booting after June 2026, but its Secure Boot trust store becomes frozen in time. Any future Microsoft revocation of a compromised bootloader, or any new pre-boot security update, simply cannot apply. Malwarebytes' deadline writeup puts it in plainer terms for SMB owners: the device becomes invisible to one of the most important layers of Microsoft's defensive stack.
For an NC small business running 25 to 250 Windows endpoints across High Point, Greensboro, Winston-Salem, or the broader Piedmont Triad, the failure mode is silent. Nothing breaks immediately. The fleet just drifts out of compliance with Secure Boot, and the gap widens with every monthly update cycle.
Which devices and components are actually affected?
Practically every Windows PC, server, and Hyper-V VM built since 2012, plus their firmware key stores. The table below maps the affected pieces to what breaks and the corresponding SMB action.
| Affected component | What expires / breaks | NC SMB action |
|---|---|---|
| Microsoft Corporation KEK CA 2011 (in firmware KEK) | Cannot sign updates to the DB or DBX after June 24, 2026 | Deploy Microsoft Corporation KEK 2K CA 2023 to firmware |
| Microsoft Windows Production PCA 2011 (in DB) | Newer Windows boot components signed by 2023 chain won't be trusted | Deploy Windows UEFI CA 2023 to firmware DB |
| Microsoft Corporation UEFI CA 2011 (in DB) | Third-party bootloaders and option ROMs signed against the 2023 chain won't be trusted | Deploy Microsoft UEFI CA 2023 equivalents to DB |
| Secure Boot DBX revocations | Cannot install new revocations of compromised bootloaders | Confirm DBX updates resume post-CA rotation |
| Windows 10/11 desktops and laptops 2012-2026 | Lose ability to install Secure Boot security updates | Inventory, then push 2023 CA updates via WSUS/Intune/RMM |
| Windows Server hosts and Hyper-V VMs | VM firmware key stores need separate update | Update host firmware, then iterate per-VM |
The replacement chain is described in Microsoft's IT Pro blog and Microsoft Support. The new certificates are the Microsoft Corporation KEK 2K CA 2023 (replacing the 2011 KEK CA) and the Windows UEFI CA 2023 (replacing the 2011 Production PCA and UEFI CA entries in the DB).
Quotable definition: Secure Boot is the UEFI firmware feature that verifies every pre-OS component (bootloader, option ROM, early-boot driver) against a trusted certificate store before letting it run. Rotating Microsoft's 2011 certificates to the 2023 chain is what keeps that verification working past June 2026.
How does an NC small business actually deploy the 2023 certificates?
Through a controlled, opt-in firmware update process driven by Windows Update, layered RMM/Intune, and per-device verification. Microsoft's Secure Boot Playbook describes a staged rollout: Microsoft delivers the new certificates through cumulative updates, but applying them to firmware (KEK and DB) is gated by a Windows registry value (the "Microsoft-managed opt-in") and a successful reboot cycle that hands the keys to the UEFI firmware.
For a Piedmont Triad SMB, the practical sequence looks like this:
- Inventory. Build a list of every Windows PC, laptop, server, and Hyper-V VM. Capture OEM, model, firmware version, and current Secure Boot status (
Confirm-SecureBootUEFIin PowerShell). - Pilot. Pick a small pilot group (5-10 percent of the fleet) covering each major OEM (Dell, HP, Lenovo, Microsoft Surface). Enable the Microsoft-managed opt-in registry value and verify the 2023 certs land in firmware.
- OEM firmware prerequisites. Some OEMs require a BIOS/UEFI update before the 2023 CA update will take. Apply OEM firmware first where required.
- Stage rollout. Push the opt-in via Intune, WSUS, or your RMM in waves of 10-25 percent. Reboot, verify, move on.
- Verify per device. Use PowerShell (
Get-SecureBootUEFIfor KEK and DB) or Microsoft's published verification steps to confirm both the 2023 KEK and the 2023 DB entry are present on each machine. - Document. Log per-asset status. This is the evidence trail you will need for cyber insurance renewals (see our insurance-readiness audit guide) and for any future audit.
The rollout is irreversible on a per-device basis once the firmware accepts the new keys, which is why pilot-first matters. A managed IT partner that already runs a Windows patching program for your fleet is the cheapest path to a clean rollout.
Want this driven for you? Preferred Data Corporation delivers managed IT services and managed cybersecurity across the Piedmont Triad. Call (336) 886-3282 or contact us to scope a Secure Boot rotation for your fleet.
What are the real risks of doing nothing?
Three. First, devices silently lose Secure Boot security update coverage, so any future compromised-bootloader revocation (the kind tracked in CISA's Known Exploited Vulnerabilities catalog) cannot apply. Second, devices reject new third-party pre-boot software signed against the 2023 chain, which over time breaks remote management agents, full-disk encryption tooling, and recovery media. Third, the audit and insurance exposure: by mid-2026, "are your endpoints patched against KB5025885 and the 2023 CA update?" becomes a routine cyber insurance underwriting question, joining MFA, EDR, and immutable backups as a baseline control.
Microsoft's IT Pro blog is unambiguous about the timing pressure: this is a one-time, every-Windows-device project, and the deadline is fixed. Doing it under a managed program in May or June 2026 is cheap. Doing it after a compromised-bootloader incident in late 2026 is not.
Why does outsourcing the Secure Boot rotation make sense?
Because it is a fleet-wide firmware project with verification overhead and OEM-specific prerequisites, and most NC small businesses do not have the in-house bench to run it cleanly across 25, 100, or 250 devices. A managed IT partner already has the RMM, the patch reporting, and the per-OEM firmware-update muscle memory to drive the rotation in waves, verify each device, and produce the per-asset evidence pack.
Preferred Data Corporation has supported North Carolina small and mid-sized businesses for 37+ years, founded in 1987 and headquartered at 1208 Eastchester Drive, Suite 131, High Point, NC 27265. We deliver on-site within 200 miles of High Point, covering Greensboro, Winston-Salem, the broader Piedmont Triad, Charlotte, and Raleigh. We pair the Secure Boot rotation with our standard managed IT services, managed cybersecurity, and hardware procurement and lifecycle, so the firmware update slots into the same patch and inventory program that already runs your environment.
Beat the June 24 deadline. Call (336) 886-3282 or contact Preferred Data Corporation to schedule a Secure Boot readiness audit for your NC business.
Frequently Asked Questions
Will my Windows 11 PC stop booting after June 2026?
No. Per Windows Latest and Microsoft's own guidance, devices keep booting normally. What they lose is the ability to install future Secure Boot security updates and to trust newer third-party software signed against the 2023 certificate chain. The damage is cumulative and silent, not a hard failure on day one.
Which exact certificates are expiring?
The Microsoft Corporation KEK CA 2011 expires on June 24, 2026, with the Microsoft Windows Production PCA 2011 and the Microsoft Corporation UEFI CA 2011 also reaching end of life in the same window. They are replaced by the Microsoft Corporation KEK 2K CA 2023 and the Windows UEFI CA 2023, per Microsoft Support.
Does this affect Windows Server and Hyper-V VMs?
Yes. Each Windows Server host and each Hyper-V virtual machine carries its own firmware key store, so the 2023 KEK and DB updates have to be applied at both the host and VM level. Microsoft's Secure Boot Playbook walks through the VM-specific path.
Can I roll back if something breaks?
Not easily. Once the 2023 certificates are written into UEFI firmware, the change is per-device persistent. That is exactly why Microsoft and most managed IT providers recommend a small pilot wave with OEM-specific verification before pushing the update across the full fleet.
How long does a Secure Boot rotation take for a 100-device NC SMB?
For a typical 100-endpoint Piedmont Triad SMB, a managed rotation usually runs 4 to 8 weeks end to end: a week of inventory and OEM firmware prerequisites, a 1 to 2 week pilot, and 2 to 4 weeks of staged rollout and per-device verification. Doing it inside a managed program is materially faster than from a standing start.
How does this interact with cyber insurance?
Expect carriers to add it to renewal questionnaires through 2026. As detailed in our 2026 cyber insurance readiness guide, underwriters now want evidence that endpoints are patched against current Microsoft advisories, and the Secure Boot 2023 CA update will be on that list. A documented rotation with per-asset evidence is the cleanest answer.
Where can I read Microsoft's official guidance?
Start with Microsoft's Windows IT Pro blog announcement, the Microsoft Support CA update article, and the Secure Boot Playbook for Certificates Expiring in 2026. Those three documents are the authoritative source.
Related Resources
- Managed IT Services for NC Businesses - Fleet-wide patch, monitor, and verify
- Managed Cybersecurity Services - Boot-level to application-layer protection
- Hardware Procurement and Lifecycle - OEM firmware and endpoint refresh
- 2026 Cyber Insurance Readiness for NC SMBs - Evidence-ready controls for renewal
- Contact Preferred Data Corporation - Schedule a Secure Boot readiness audit