Microsoft’s long-delayed Secure Boot certificate rollover now has a firm start date: June 2026. Organizations that fail to prepare will face machines that refuse to boot after the update—or worse, silently lose protection without anyone noticing.

The Windows UEFI CA 2023 certificate replaces the aging Windows Production PCA 2011, the root of trust that has signed every UEFI bootloader and driver since Windows 8. When the old certificate expires, firmware that hasn’t ingested the new trust anchor will treat legitimate Windows components as untrusted. The result is a blue-screened boot loop, often unrecoverable without manual intervention.

This isn’t a theoretical risk. Microsoft and industry partners saw the chaos firsthand with the BootHole remediation in 2020, when a revoked third-party signer bricked countless Linux and dual-boot systems. The lesson: certificate updates at the UEFI level demand meticulous planning. The playbook below distills official Microsoft guidance, OEM documentation, and field experience from early testers into a phased readiness plan.

What’s Changing and Why

Secure Boot relies on a chain of digital signatures anchored in the firmware’s trusted certificate store. Since 2012, that anchor has been the Windows Production PCA 2011. It signs Microsoft’s first-stage bootloader, which in turn validates the OS kernel and drivers. If the firmware doesn’t recognize a signature, boot stops.

The original certificate was never meant to live forever. Microsoft originally slated the transition to the new Windows UEFI CA 2023 for early 2023, but pushback from OEMs and enterprise customers forced a multi-year delay. The primary concern: millions of devices in the field with firmware that ships with only the old certificate and cannot be updated automatically from within Windows. Adding the new certificate requires a firmware capsule update—something many IT departments have never done at scale.

Firmware vendors have been shipping devices with both the old and the new certificates since at least 2020, but the installed base is far from uniform. Consumer PCs, aging servers, and repurposed industrial equipment often run firmware snapshots frozen years ago. For them, June 2026 isn’t a deadline for a simple regkey change; it’s a hardware lifecycle event.

The Rollout Timeline

Phase Date What Happens
Pre-rollover Now – May 2026 Devices with modern firmware already trust both certificates. IT teams inventory and test.
Initial enforcement June 2026 Microsoft begins signing boot components with the new certificate for all supported Windows versions (Windows 10, Windows 11, Windows Server 2022 and later).
Phased revocation Q3 2026 – Q4 2027 Older, unsigned or revoked drivers may be blocked gradually via Windows Update and Defender updates.
Complete transition TBD The old PCA 2011 certificate may eventually be removed from the firmware trust store through future OEM firmware updates, ending dual-signing. Microsoft has not published a hard removal date.

Note: Microsoft has stated it will not revoke the old certificate in a way that renders existing dual-signed firmware unbootable. However, new boot applications signed only with the new certificate will not boot on firmware that trusts only the old one. This is the key failure point.

Step 1: Inventory Secure Boot State Across Your Fleet

You can’t fix what you can’t see. The first task is to determine exactly which devices already trust the new certificate and which do not.

Microsoft provides a PowerShell cmdlet that checks the firmware’s certificate store:

Confirm-SecureBootUEFI -Path $env:systemdrive\EFI\Microsoft\Boot\bootmgfw.efi

This command verifies whether the firmware would accept a boot application signed with the new certificate. It returns True if the device is ready, False if not. Run it against every Windows 10/11 and Server 2022+ endpoint under your management.

For large fleets, wrap the check in a Configuration Manager compliance baseline, a Group Policy logon script, or an Intune proactive remediation. The output should feed your asset database with a new column: SecureBoot2026Ready. Devices returning False are your remediation targets.

Don’t overlook virtual machines. Hyper-V Gen2 VMs with the standard Microsoft UEFI firmware template will typically be ready, but VMs using third-party UEFI firmware (e.g., VMware UEFI, Citrix PVS) may lag. VMware has committed to updates for ESXi 8.0 and later; check your hypervisor vendor’s roadmap.

Step 2: Acquire and Test OEM Firmware Updates

The only way to add the new certificate to firmware that lacks it is a firmware capsule update. These updates are device-specific, signed by the OEM, and delivered either through Windows Update (as “Firmware” category updates) or via manual download from the manufacturer’s support portal.

Start by building a catalog of models and firmware versions known to include the Windows UEFI CA 2023 certificate. Major OEMs have begun publishing compatibility lists:

  • Dell: Support article SLN322633 enumerates Latitude, OptiPlex, and Precision models with compliant firmware versions. Dell Command Update can push the capsule.
  • HP: HP customer advisory 230413 lists EliteBook, ProBook, and Z workstation models. HP Image Assistant automates detection.
  • Lenovo: ThinkShield Secure Boot Support Matrix details ThinkPad and ThinkSystem models. Lenovo System Update handles deployment.
  • Microsoft Surface: Surface UEFI firmware aggregator has already included the new certificate since early 2022 via Windows Update; most in-support Surfaces are ready.

Custom or white-box machines based on retail motherboards pose a bigger challenge. ASUS, ASRock, Gigabyte, and MSI have varying levels of UEFI capsule update maturity. Many consumer boards rely on the end user to manually flash a BIOS update from a USB drive. For business fleets that include such machines, you must either integrate manual BIOS flashing into your imaging workflow or accept that these devices won’t be ready and will require replacement.

Once you have firmware updates in hand, test them in a representative staging environment. Don’t assume the process is benign. Common pitfalls include:

  • BitLocker recovery prompts if the firmware update changes the PCR banks.
  • Unexpected reboot loops on systems with third-party bootloaders (GRUB, rEFInd).
  • Loss of custom boot order or UEFI variables after flash.
  • Incompatibility with Secure Boot configuration policies set via Intune or Group Policy.

Record your findings and create a runbook that precisely matches each device model to its update procedure, expected behavior, and rollback steps.

Step 3: Validate with Microsoft’s Test-Signing Certificate

Microsoft offers a test-signed EFI file that uses the new certificate’s chain. You can place this file in the EFI system partition and attempt to boot it to confirm the firmware trusts the new anchor without altering your production environment.

The test binary and instructions are available from the Microsoft Security Response Center’s GitHub repository under the Secure Boot supplement. Download the TestBootx64.efi and a helper script that configures a one-time boot entry. Execute on your test devices and observe whether the screen displays a “Certificate trusted” message. This validation step catches edge cases that Confirm-SecureBootUEFI might miss, especially on firmware with partial or corrupted variable stores.

Step 4: Pre-stage the Certificate via UEFI Variable (Advanced)

In theory, the new certificate can be injected directly into the Secure Boot “db” variable without a full firmware update. This is how Linux distributions manage their own MOK (Machine Owner Key). Microsoft does not officially support this method for the Windows UEFI CA, but some enterprise UEFI configuration tools allow it. Tread carefully: manipulating the db variable incorrectly will brick Secure Boot or even the entire UEFI setup. This path should only be attempted by organizations with deep UEFI expertise and a hardware-based recovery strategy (e.g., dual BIOS, JTAG).

Step 5: Operationalize Firmware Updates with Existing Management Tools

Once validated, move updates into your standard endpoint management pipeline. The exact approach depends on your toolchain:

  • Microsoft Intune: Use the “Firmware” category in Windows Driver Updates to approve compliant firmware versions. Pair with a proactive remediation that flags devices still missing the certificate.
  • Windows Autopilot: Ensure the latest firmware is staged in the factory image or applied during the Enrollment Status Page phase. Work with your OEM to include the certified firmware in new device orders.
  • SCCM/MECM: Deploy firmware updates as packages, using collection queries that filter on Secure Boot readiness status. Needing a reboot, schedule these during maintenance windows.
  • Third-party RMM: Leverage custom scripting that retrieves the update from the OEM’s catalog API and invokes the capsule installer with the /quiet flag.

Monitor the rollout with telemetry. A simple KPI is “Percentage of devices returning Confirm-SecureBootUEFI = True” tracked weekly. Set a target of 95% or higher before June 2026.

Step 6: What If You Miss the Deadline?

If June 2026 arrives and a subset of devices hasn’t received the firmware update, those machines will still boot as long as Microsoft continues to dual-sign boot components. At least initially, Microsoft has committed to dual-signing “for the foreseeable future.” But there is no SLA for how long that dual-signing lasts. The moment Microsoft signs a critical security fix solely with the new certificate—say, to address a UEFI bootkit—unprepared devices become vulnerable and unbootable in one stroke.

Your containment options include:

  • Network isolation: Keep unprepared devices off production networks to reduce attack surface.
  • BIOS setting: Temporarily disable Secure Boot on legacy machines, but only as a last resort, since this turns off a foundational security control.
  • Forced refresh: Budget for accelerated hardware replacement of machines that cannot be updated.

The Security Imperative

Beyond avoiding boot failures, the certificate rollover is a security improvement. The 2011 certificate uses a SHA-256 hash algorithm, which is still considered secure, but the 2023 CA employs stronger RSA key lengths and aligns with newer NIST guidance. The ecosystem is gradually moving toward a more agile trust model where certificates can be rotated without catastrophic disruption—this rollover is a test of that architecture.

For IT teams that treat it as just another maintenance task, the payoff will be invisible: users continue working, and the platform’s integrity remains intact. For those who postpone, the summer of 2026 could become a frantic scramble of helpdesk calls, reimaging, and executive explanations. The difference is a playbook executed today.