Windows 11 Secure Boot Certificate Expiration June 2026 Fix

What is the Windows 11 Secure Boot Certificate Expiration?

Most PCs shipped between 2012 and 2026 trust a small set of Microsoft-issued Secure Boot certificates baked into UEFI firmware: the Microsoft Corporation KEK CA 2011 (Key Exchange Key, expires June 2026), the Microsoft Windows Production PCA 2011 (boot loader signer, expires October 2026), and the Microsoft UEFI CA 2011 (third-party signer, expires June 2026). Once these certificates expire, the firmware can no longer validate updated boot components, leaving affected machines unable to receive future Windows boot updates and, in some scenarios, unable to boot at all after a critical update.

Microsoft began rolling out replacement 2023 certificates through KB5025885 in 2023, but the full sequence — KEK update, DB update, then PCA2023 boot manager — only completes on systems where the OEM has shipped a compatible UEFI firmware. If you ignored the rollout, you must complete it manually before the June 2026 cutoff.

When does it occur?

• After a clean Windows 11 install on hardware delivered before 2024 with no recent BIOS updates
• When KB5025885 (or its successor KB5036210) reports 0x800F0922 or "registry-based mitigation not complete"
• After a UEFI variable reset, CMOS clear, or motherboard replacement
• On dual-boot machines using shim/GRUB signed against the expiring Microsoft UEFI CA 2011
• When Windows Update displays "Your device is missing important security and quality fixes" tied to Secure Boot
• On Surface, Dell Optiplex, HP EliteDesk, and Lenovo ThinkCentre fleets still on 2022 firmware

Common causes

• Microsoft KEK CA 2011 expiring June 26, 2026 and DB CA 2011 expiring June 26, 2026
• UEFI firmware never received the OEM update that installs the Windows UEFI CA 2023 chain
• The diagnostic registry key MicrosoftUpdateManagedOptIn is missing, so KB5025885 skipped the certificate stages
• TPM-protected boot variables were wiped (decommissioned chassis, board swap, or BitLocker recovery)
• Linux dual-boot shim binaries signed by the expiring 2011 third-party CA fail validation after rollover
• Secure Boot is enforced on a board whose OEM has not yet released a 2023-cert BIOS (common on motherboards older than 8 years)
• A failed UEFI variable write left the DB partially updated — symptom: boot loader present but firmware rejects it

Step-by-step fixes

1. Check which certificates are already trusted — Open PowerShell as administrator and run [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'. A True response means the new DB certificate is staged. Also run Get-SecureBootUEFI KEK and look for Microsoft Corporation KEK CA 2023 in the byte string. If both 2023 entries are absent, your firmware has not received the rollout yet.

1. Force the KB5025885 staged rollout — Open regedit and create the key HKLM\SYSTEM\CurrentControlSet\Control\Secureboot with a DWORD value AvailableUpdates set to 0x40 (stage KEK), then 0x100 (stage DB), then 0x40000 (stage updated boot manager). Apply one stage at a time, reboot twice between each, and verify with Get-WinEvent -LogName Microsoft-Windows-Kernel-Boot for event ID 1037 confirming success.

1. Dell (OptiPlex, Latitude, Precision) — Dell shipped certificate-renewal BIOS through Dell Command Update starting March 2026. Boot, press F2 to enter BIOS, go to Maintenance > Firmware Update and let the system pull BIOS revision A28 or later. After flash, in Security > Secure Boot > Expert Key Management, choose Restore Factory Keys to re-enroll the 2023 PK/KEK/DB set.

1. HP (ProBook, EliteBook, ZBook, EliteDesk) — HP packages cert updates in the HP BIOS Configuration Utility and Sure Start workflow. Hit F10 at boot, navigate to Advanced > Secure Boot Configuration > Reset Secure Boot Keys to Factory Defaults, then Advanced > UEFI Firmware Update to pull build 01.27.00 (2026) which embeds the 2023 KEK. Confirm with HP Image Assistant post-reboot.

1. Lenovo (ThinkPad, ThinkCentre, Legion) — Use Lenovo Vantage or download the latest UEFI BIOS from support.lenovo.com (look for N4xUJ series builds dated April 2026 or later). In BIOS, go to Security > Secure Boot > Reset to Setup Mode, save and reboot, then re-enter and choose Restore Factory Keys so the 2023 chain is enrolled.

1. ASUS, ASRock, MSI, Gigabyte (consumer boards) — These OEMs ship cert updates inside regular BIOS releases. Flash the May/June 2026 BIOS using EZ Flash 3 (ASUS), M-Flash (MSI), Q-Flash Plus (Gigabyte), or Instant Flash (ASRock). After the flash, enter BIOS, go to Boot > Secure Boot > Key Management and trigger Reset to Default Keys — this loads the 2023 PK/KEK/DB shipped with the new firmware. Save with F10.

1. Surface devices — Microsoft pushes Secure Boot keys through Surface Firmware updates. Open Settings > Windows Update > Advanced options > Optional updates and install any pending Surface UEFI Firmware. Verify Surface UEFI version is 2024.xx.xx or later. If the device fails to boot post-rollover, hold Vol+ during power-on to enter the Surface UEFI screen and select Security > Reset Secure Boot Keys.

1. Linux dual-boot recovery (shim re-signing) — If GRUB stops loading after the rollover, boot from a Windows recovery USB and run bcdedit /set {bootmgr} path \EFI\Microsoft\Boot\bootmgfw.efi to fall back to Windows. Then update your distro: Ubuntu users run sudo apt update && sudo apt install --reinstall shim-signed grub-efi-amd64-signed to get the shim 15.8 build signed against the 2023 third-party CA. Fedora users update with sudo dnf upgrade shim-x64 grub2-efi-x64.

If it still doesn't work

If the system stops booting after staging the 2023 certificates and shows "Secure Boot Violation: Invalid signature detected" or "Operating system not found", the boot manager was already replaced with the PCA2023-signed version while the firmware DB still trusts only the 2011 chain. Recovery: boot from a Windows 11 24H2 ISO USB, choose Repair your computer > Troubleshoot > Advanced options > Command Prompt, and run bcdboot C:\Windows /s S: /f UEFI (substitute your EFI partition letter from diskpart). If that fails, temporarily disable Secure Boot in BIOS, boot Windows, run Repair-WindowsImage -Online -RestoreHealth, then re-enable Secure Boot and re-run the staged rollout from step 2.

For enterprise fleets, Microsoft's [KB5036210 Secure Boot updates guide](https://support.microsoft.com/topic/kb5036210) is the authoritative reference — it lists the exact event IDs (1036, 1037, 1795) to monitor in Microsoft-Windows-Kernel-Boot and the Intune CSPs (Defender/SecureBoot) to deploy the staged registry values across managed devices. Critical machines should be staged in a pilot ring at least 30 days before the June 26, 2026 cutoff because some OEM firmware bugs only surface after the DB swap.