How Do I Verify My UEFI Certificates Before the June Deadline?

Home » Microsoft » How Do I Verify My UEFI Certificates Before the June Deadline?

Table of Contents

Will the June 2026 Secure Boot Expiration Break Your Windows PC?
Microsoft’s “High Confidence” Rollout Strategy
Known Issues for Administrators
Verification and Action Steps

Will the June 2026 Secure Boot Expiration Break Your Windows PC?

The industry is approaching a hard deadline for UEFI Secure Boot certificates. The 15-year lifespan of the original certificates—introduced with Windows 8—concludes in June 2026. If your device retains the old certificates past this date, it may fail to boot securely.

Microsoft formally initiated the replacement process on January 13, 2026, integrating new keys into the standard Patch Tuesday updates (specifically KB5074109 for Windows 11). Both the UEFI Secure Boot DB (Allow List) and KEK (Key Exchange Key) require updating to the 2023 versions to ensure continued functionality.

Microsoft’s “High Confidence” Rollout Strategy

To prevent system failures, Microsoft is deploying these updates in controlled waves. The January 2026 update includes logic to identify “high confidence” devices. Your machine will only automatically download and install the new Secure Boot certificate if the update client detects a configuration that guarantees success.

This precautionary measure aims to avoid the boot failures and “bricking” issues observed during the 2025 pilot phases, particularly on specific hardware like older Fujitsu units. If your device does not report a safe update path, the certificate replacement will pause until conditions are met.

Known Issues for Administrators

IT professionals managing fleets via Microsoft Intune must remain vigilant. A confirmed bug currently affects Windows 10 and 11 Pro editions where Secure Boot policies deployed through Mobile Device Management (MDM) fail. This triggers Error Code 65000 and logs the event POLICYMANAGER_E_AREAPOLICY_NOTAPPLICABLEINEDITION. Microsoft is investigating this blockage, but no automated fix is currently available.

Verification and Action Steps

Do not wait until June to verify your infrastructure. You must confirm whether the new certificates have been successfully applied.

Registry Verification: Administrators should check the UEFICA2023Status and UEFICA2023Error registry keys. These provide granular details on whether the certificate exchange succeeded or why it was rejected.
System Information: For individual workstations, press Windows + R, type msinfo32, and verify the “Secure Boot State” in the system summary.
PowerShell Validation: Execute the command Confirm-SecureBootUEFI to receive a True/False status. For deeper analysis, utilize scripts like Check-UEFISecureBootVariables available on GitHub to audit KEK, DB, and DBX variables directly.