Windows Secure Boot Certificate Expiration and CA Updates (KB5062710)
Microsoft is replacing expiring 2011 Secure Boot certificates with 2023 versions to keep Windows devices protected. Affects all Windows 10, Windows 11, and Windows Server editions.

Summary
This guidance article (KB5062710), published June 26, 2025, covers the expiration of Windows Secure Boot certificates originally issued in 2011 and the replacement 2023 certificates Microsoft is rolling out. It applies to Windows 10, Windows 11, and Windows Server editions. This is not a standard cumulative update - it is an advisory and call to action. See Microsoft Support for the official source.
Improvements and fixes
- Microsoft is issuing updated 2023 Secure Boot certificates to replace the original 2011 certificates, which begin expiring in June 2026.
- The Microsoft Corporation KEK CA 2011 is being replaced by Microsoft Corporation KEK 2K CA 2023, stored in the KEK, used to sign updates to the DB and DBX.
- The Microsoft Windows Production PCA 2011 is being replaced by Windows UEFI CA 2023, stored in the DB, used for signing the Windows boot loader.
- The Microsoft UEFI CA 2011 certificate is being split into two separate 2023 certificates: Microsoft UEFI CA 2023 for third-party boot loaders and EFI applications, and Microsoft Option ROM UEFI CA 2023 for third-party option ROMs.
- This split allows finer control over system trust - for example, a system that needs to trust option ROMs can add Microsoft Option ROM UEFI CA 2023 without also granting trust to third-party boot loaders.
- Microsoft will manage the certificate update process automatically on a significant portion of Windows devices and will provide detailed guidance for organizations that manage their own device updates.
- Devices that do not receive the new 2023 certificates before expiration will continue to start and run standard Windows updates, but will no longer be able to receive new security protections for the early boot process.
- Over time, unupdated devices may face reduced protection against emerging threats and may be affected in scenarios relying on Secure Boot trust, such as BitLocker hardening or third-party bootloaders.
Known issues
Microsoft lists no known issues for this update at the time of writing.
How to get this update
Microsoft states that the required actions vary depending on the type of Windows device in use. Most Windows devices will receive the updated certificates automatically. Many OEMs also provide firmware updates where needed. Organizations managing their own device updates should consult the Windows Secure Boot Key Creation and Management Guidance document for detailed instructions. For support, Microsoft directs users to Microsoft Support (select Windows) or to the business support portal to create a new support request.
Frequently asked questions
What happens if I do not update the Secure Boot certificates before they expire?
Devices that have not received the 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, they will no longer receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot-level vulnerabilities.
Which certificates are expiring and when?
Four certificates are affected. Microsoft Corporation KEK CA 2011 expires June 24, 2026. Microsoft UEFI CA 2011 expires June 27, 2026. Microsoft Windows Production PCA 2011 expires October 19, 2026. Both the KEK and DB must be updated with the corresponding new 2023 certificate versions to maintain full Secure Boot protection.
Why is the Microsoft UEFI CA 2011 being replaced by two separate certificates?
During renewal of the Microsoft UEFI CA 2011, Microsoft separated boot loader signing from option ROM signing into two distinct certificates. This gives administrators finer control over system trust - a system can be configured to trust option ROMs via Microsoft Option ROM UEFI CA 2023 without also trusting third-party boot loaders via Microsoft UEFI CA 2023.
Do I need to take manual action on managed enterprise devices?
For most Windows devices, Microsoft will manage the certificate update automatically. However, organizations that manage their own device updates will need to take action to ensure both the UEFI Secure Boot DB and KEK are updated with the new 2023 certificate versions. Microsoft will provide detailed guidance specifically for these environments, and the Windows Secure Boot Key Creation and Management Guidance document is the recommended reference.








![Find Exchange Server Version with PowerShell [2025]](/_next/image?url=https%3A%2F%2Fwww.navanem.com%2Fapi%2Fmedia%2Ffile%2Fexchange-build-number-cover.jpg&w=3840&q=75)
