Fix CVE-2026-21265 - Secure Boot Certificate Expiration Bypass | Apply January 2026 Patches

Microsoft is rolling out new Secure Boot certificates (2023 versions) to replace the expiring 2011 certificates. This update adds three new certificates to the UEFI KEK and DB variables. Devices must complete this rollout before June 2026 or they'll stop receiving Secure Boot security fixes.

What gets added:

Microsoft Corporation KEK 2K CA 2023 (KEK)
Microsoft UEFI CA 2023 (DB)
Microsoft Option ROM UEFI CA 2023 (DB)

The Fix

The rollout uses a registry key and scheduled task. Run as Administrator:

# Step 1: Set the registry key
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot" -Name "AvailableUpdates" -Value 0x5944 -Type DWord

# Step 2: Run the update task
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

# Step 3: Reboot
Restart-Computer

After reboot, run the task one more time to update the boot manager:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Restart-Computer

If That Doesn't Work: Check Status Codes

Monitor the registry for progress:

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" |
    Select-Object AvailableUpdates, UEFICA2023Status, UEFICA2023Error

Status codes:

• AvailableUpdates = 0x5944 - Update queued
• AvailableUpdates = 0x4100 - Boot manager update pending (reboot again)
• AvailableUpdates = 0x4000 - Complete
• UEFICA2023Error != 0 - Check firmware compatibility

Enterprise Deployment Script

For SCCM, Intune, or GPO deployment:

# SecureBootCertUpdate.ps1
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot"
$current = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '2023'
if ($current) {
    Write-Output "Already updated"
    exit 0
}
Set-ItemProperty -Path $regPath -Name "AvailableUpdates" -Value 0x5944 -Type DWord
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Write-Output "Update initiated - reboot required"
exit 3010

Verify

Confirm the 2023 DB certificate is present:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Returns True when complete. The AvailableUpdates registry value should be 0x4000 (16384 decimal).

Managing Secure Boot updates across a large fleet? Contact us for enterprise deployment assistance.