Fix Secure Boot Certificate Expiration Before June 2026

Deploy the 2023 Secure Boot certificates before the 2011 ones expire in June 2026. Registry, scheduled task, and verification steps.

The original 2011 Secure Boot certificates start expiring in June 2026. Microsoft is replacing them with 2023 versions, and devices that miss the rollout stop getting Secure Boot security fixes like new revocation lists and boot mitigations. The PC still boots, but its boot-level protection slowly goes stale.

Here is the early warning. Open Windows Security, go to Device security, and check the Secure Boot status. A red icon there means the new certificates have not landed yet. Most Windows devices need this update, so seeing the alert is normal right now.

Three certificates get added: Microsoft Corporation KEK 2K CA 2023 to the KEK, plus Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 to the DB.

The Fix

Install the May or June 2026 cumulative update first, since that ships the certificates and the servicing task. Then trigger the rollout. Run PowerShell as Administrator:

# Step 1: Set the registry key
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot" -Name "AvailableUpdates" -Value 0x5944 -Type DWord

# Step 2: Run the update task
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

# Step 3: Reboot
Restart-Computer

After the reboot, run the task one more time to update the boot manager:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Restart-Computer

Watch the Status Codes

Monitor the registry while the rollout runs:

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" |
    Select-Object AvailableUpdates, UEFICA2023Status, UEFICA2023Error

Read AvailableUpdates like this. 0x5944 means the update is queued. 0x4100 means a boot manager update is pending, so reboot again. 0x4000 (16384 decimal) means it finished. If UEFICA2023Error is anything other than 0, the device firmware needs attention. Check for an OEM firmware update before retrying.

Deploy Across a Fleet

For SCCM, Intune, or GPO rollouts, gate the change so machines that already have the 2023 certificate skip it:

# SecureBootCertUpdate.ps1
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Secureboot"
$current = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match '2023'
if ($current) {
    Write-Output "Already updated"
    exit 0
}
Set-ItemProperty -Path $regPath -Name "AvailableUpdates" -Value 0x5944 -Type DWord
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Write-Output "Update initiated - reboot required"
exit 3010

Verify

Confirm the 2023 DB certificate is present:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

It returns True when the rollout is complete, and the AvailableUpdates value lands on 0x4000. If a device acts up afterward, Microsoft supports rolling the certificates back, so there is no need to reimage.

Managing Secure Boot updates across a large fleet? Contact Rain City Techworks for enterprise deployment help.