Windows Secure Boot certificate expiration and CA updates (NOTES Jan 2026)
Overview:
Microsoft is transitioning Secure Boot certificates from the 2011 certificate chain to the 2023 certificate chain, because the 2011 certificates begin expiring in June 2026. This change includes updates to the Secure Boot revocation database and the introduction of the Microsoft Windows UEFI CA 2023 certificate.
This change includes updates to the Secure Boot revocation database (dbx) and the introduction of 2023 Secure Boot certificates (db).
Environment:
Tested on V9.0 SR4 build 60 and V9.1 build 1349
Client: Dell E7490 Windows 11 x64 PBU HWE
Resolution:
The system was updated to the latest supported Windows version, and Secure Boot updates were applied following Microsoft guidance. After adding CA 2023 (“Microsoft UEFI CA 2023” & “Microsoft Option ROM UEFI CA 2023”), the system succesfully booted to Windows, confirming normal operation post-update.
Limitation: No supported method was identified to revoke the “Microsoft Corporation UEFI CA 2011” on the system. So this scenario is pending.
Reference:
How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support (external Link)