Overview
Microsoft's Secure Boot certificate issued in 2011 expires on June 26, 2026. This is a mandatory global transition that will affect every Windows device with Secure Boot enabled, as well as Linux systems. Windows devices require proactive updates to receive the new 2023 certificate; existing Linux installations will continue to work, but new installations and systems will need updated firmware with the new certificates.
This transition is mandatory and will affect every Windows device globally. Delay increases risk of boot failures and security exposure. Preparation and planning must begin immediately.
Understanding the Transition
Q: What is happening on June 26, 2026?
The Microsoft 2011 Secure Boot certificate expires. After this date, Microsoft will no longer use the 2011 key to sign Secure Boot components. A new 2023 Secure Boot certificate is already available and must be deployed to all systems before June 26, 2026, to maintain uninterrupted boot capability and security protection.
Q: Why is this changing now?
The 2011 certificate was issued 15 years ago and has a 15-year expiration window. The transition also addresses the BlackLotus UEFI bootkit vulnerability (CVE-2023-24932), a critical rootkit that exploited outdated Secure Boot protection. The new 2023 certificate includes enhanced security measures to prevent similar threats.
Q: What is Secure Boot?
Secure Boot is a UEFI firmware security feature that verifies the digital signature of every component loaded during system startup. It prevents unauthorized or malicious code from executing before the operating system loads, protecting against rootkits and bootkits. Secure Boot uses Microsoft-signed certificates to validate firmware, bootloaders, and other critical startup components.
Q: How does this affect end users?
For most users, the impact is transparent if their IT teams deploy updates proactively. For those who do not update by June 26, 2026, the impact is severe: systems with Secure Boot enabled will fail to boot if they try to install new bootloader or Secure Boot updates. This can render devices non-functional, requiring physical recovery or reinstallation.
Timeline and Deployment Phases
Q: What is the 2026 Microsoft Certificate Replacement and how does it affect my security software?
Microsoft is replacing the aging 2011 digital certificates stored in your PC's BIOS with a new 2023 Standard. These certificates act as the "Lock" that allows your PC to boot securely. Because the 2011 certificates expire in 2026, any software that starts before Windows such as WinMagic SecureDoc (PBA) must be re-signed with the new 2023 keys.
Q: How do I confirm my system is ready for the 2026 certificate transition?
Simply receiving the update is not the same as being "Ready." Because KB5025885 is delivered as part of your Monthly Cumulative Update (LCU) or comes embedded in newer Windows installation media, the files are likely already on your machine. However, you must verify that the 2023 certificates have successfully "seeded" into your physical NVRAM.
Until this physical handshake is complete, you cannot safely update third-party software like WinMagic SecureDoc. You can confirm readiness using these two methods:
Method 1: The Registry "Handshake" Check
Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
Success (0x4000): If the value UEFICA2023Status is 0x4000, Windows has finished its own certificate update (Windows UEFI CA 2023). Note: this registry value does NOT directly reflect the status of the 3rd-party certificates. When SecureDoc is installed, this value may not reliably reflect the true NVRAM state. Use the PowerShell commands in Method 2 to confirm the 3rd-party certs are physically present.
Staged (0x5944): If the value is 0x5944, the update is pending a reboot or manual opt-in.
Not Active (0x0 or Missing): The update is not yet active in your BIOS.
Method 2: The PowerShell Audit Script
Run your Secure Boot Audit script to perform a live scan of the UEFI variables stored in your motherboard's flash memory.
Success: You should see [+] Found: Windows UEFI CA 2023 in the db variable scan. This confirms the new "Lock" is installed in your BIOS. For full 3rd-party readiness, you must also confirm Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 are present.
Failure: If the script returns [-] Waiting, your BIOS is still relying on the 2011 standard.
Verifying 3rd-party certificates with PowerShell (recommended, most reliable method):
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'
True: The certificate is installed and active in the Secure Boot DB.
False: The update is incomplete, even if the registry shows 0x4000 (rare, but can happen if firmware failed to save the key). Do not deploy SecureDoc updates until both commands return True.
Note on Microsoft Option ROM UEFI CA 2023 This certificate is critical for devices that had the Microsoft Corporation UEFI CA 2011 in their Secure Boot DB. It signs third-party option ROMs and must be present alongside Microsoft UEFI CA 2023 for full 3rd-party Secure Boot coverage. Not all devices require it, but for those that had the 2011 cert, both 2023 3rd-party certificates must be confirmed present before deploying SecureDoc updates. |
Summary Checklist for Vendor Readiness
☐ Update Source: Confirm the latest Monthly Cumulative Update is installed.
☐ Registry State: Verify UEFICA2023Status is 0x4000 (indicates Windows UEFI CA 2023 update; does not confirm 3rd-party cert status, especially with SecureDoc installed).
☐ BIOS Inventory: Confirm Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 are in the Secure Boot DB (use PowerShell commands in Method 2).
☐ Vendor Action: Proceed with SecureDoc/PBA 2023-signed updates.
Q: Does Microsoft provide any scripts or .exe files to run this audit?
Microsoft does not provide a standalone "Audit.exe" application. Instead, they provide official PowerShell scripts and Sample Code designed for IT administrators to verify the 2026 certificate status across a fleet. These tools are part of the KB5025885 Hardening Guidance. They are designed to query the physical NVRAM on your motherboard to see if the "Lock" (the 2023 certificates) has been successfully applied.
Q: What are the specific Microsoft tools available?
The Certificate Audit Script (PowerShell): Microsoft provides a script that uses the Get-SecureBootUEFI cmdlet. This script scans the db (Authorized Signature Database) and KEK (Key Exchange Key) variables. It looks for the specific thumbprints associated with the 2023 keys.
The "Servicing" Registry Check: While not a script, Microsoft points admins to the HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing key. This is the "Software-side" audit that tells you if Windows thinks the hardware is ready.
The "Script-Package" for Opt-In: Microsoft released a downloadable set of scripts (often referred to as the "KB5025885 Scripts") that allow you to manually trigger the certificate injection if your hardware is stuck in a "Waiting" status.
Q: How do these tools confirm readiness for SecureDoc?
When you run the Microsoft-provided PowerShell logic, you are looking for a specific success string. This is what your audit should target to ensure your SecureDoc PBA will load safely:
[+] Found: Microsoft UEFI CA 2023
[+] Found: Microsoft Option ROM UEFI CA 2023
What they mean: Microsoft UEFI CA 2023 confirms the firmware trusts third-party boot loaders and EFI applications. Microsoft Option ROM UEFI CA 2023 confirms trust for third-party Option ROMs.
Note: that this second cert may not be required on all devices, as some firmware configurations don't include it by default.
The next step: Only after the script confirms Microsoft UEFI CA 2023 is present, and Microsoft Option ROM UEFI CA 2023 where applicable, should you push the 2023-signed SecureDoc update from WinMagic. Pushing before confirmation is how you get a Secure Boot Violation and a machine that won't boot.
Q: Where can I find the official script code?
Microsoft maintains the latest version of the audit logic in their technical documentation. You can copy the sample code directly from their support pages:
Official Microsoft Guide: KB5025885 Audit Scripting
Summary for Administrators
Important Do not look for a "Point-and-Click" tool for this audit. Use the PowerShell scripts provided by Microsoft to pull the data into your management console (like Intune). If the Microsoft script returns a "Waiting" or "Not Found" status, you must address the KB5025885 installation or BIOS settings before attempting to update your SecureDoc environment. |
Q: How do I officially detect which machines are ready for the 2026 transition and SecureDoc updates?
Microsoft provides an official PowerShell script designed specifically for this audit. It is documented in KB5072718 as the "Sample Secure Boot inventory data collection script." This script is the gold standard for admins because it doesn't just check if a Windows Update is "Installed" — it queries the physical NVRAM to confirm the hardware has accepted the new 2023 certificates.
Q: How do I use the KB5072718 script?
You can copy the code directly from the Official Microsoft KB5072718 Support Page. For a large fleet, you should deploy this script via Microsoft Intune or SCCM. The script returns an "OverallStatus" variable that tells you exactly where the machine stands in the 2026 timeline.
Q: How do I interpret the "OverallStatus" for SecureDoc?
When running the official audit, pay close attention to these three results. They dictate whether it is safe to update your encryption environment:
Script Result | Technical Meaning | SecureDoc Action |
"Updated" | The 2023 certificates are physically present in the BIOS. | SAFE. You can deploy 2023-signed PBA packages. |
"Waiting" | The update is staged, but the BIOS has not yet accepted the keys. | STOP. Do not update SecureDoc. The machine needs a reboot or a manual opt-in. |
"Not Started" | KB5025885 is missing or the servicing logic hasn't triggered. | STOP. Ensure the latest Monthly Cumulative Update is installed. |
Q: Why should I trust this script over a custom one?
The KB5072718 script is maintained by Microsoft to account for various hardware quirks across different motherboard manufacturers. It checks the three pillars of 2026 readiness:
The Registry: Confirms the 0x4000 handshake status.
The NVRAM: Physically scans for the "Windows UEFI CA 2023" string.
The Boot Manager: Verifies the files on the EFI partition are signed correctly.
Green Light Rule The official Microsoft script is your "Green Light" for vendor updates. If the script returns "Updated," the hardware "Lock" is ready for the SecureDoc "Key." If it returns any other status, pushing a 2023-signed SecureDoc update will likely cause a Secure Boot Violation and a non-bootable system. |
Q: How do I know if I am ready for updates from other vendors (like WinMagic)?
Third-party vendors like WinMagic use the Microsoft UEFI CA (3rd-Party) certificate to sign their Pre-Boot Authentication (PBA) environments. To be ready for a vendor update, your hardware must first trust the 2023 version of that 3rd-party key.
The Readiness Checklist:
Check for the 3rd-Party 2023 Key: In your audit, look for [+] Found: Microsoft UEFI CA 2023.
Check the Timeline: This specific 3rd-party key expires in June 2026.
The Dependency Rule: Do not install a 2023-signed update from a vendor until your audit script shows the 2023 key is Present. If you update the software (the "Key") before the BIOS trusts the new standard (the "Lock"), the machine will fail to boot with a Secure Boot Violation.
Q: What is the risk if I miss the transition deadlines?
The transition follows a strict timeline. Missing these dates could lead to a non-recoverable "No-Boot" scenario in the future.
Milestone | Date | Consequence if Missing |
3rd-Party Expiry | June 2026 | SecureDoc PBA and other 3rd-party loaders stop working. |
Q: What is the timeline for this transition?
The transition occurs in two phases:
Deployment Phase (NOW - June 2026): Windows devices receive KB5025885, which seeds the 2023 Secure Boot certificate. Both old and new certificates coexist. Systems continue to boot normally. This phase is critical for preparation.
Enforcement Phase (June 26, 2026 onward): The 2011 certificate expires. Systems that have not installed the 2023 certificate by this date can no longer boot if they need Secure Boot updates. This phase is not recoverable without firmware intervention.
Q: What do I need to do during the Deployment Phase?
During the Deployment Phase, deploy KB5025885 to all Windows devices with Secure Boot enabled. This seeding update installs the 2023 certificate into the firmware database and prepares the system for the transition. Most organizations should complete this phase by Q2 2026 to allow time for verification and troubleshooting before June 26, 2026.
WinMagic SecureDoc Impact
Q: How does the Secure Boot transition affect WinMagic SecureDoc?
SecureDoc Pre-Boot Authentication (PBA) uses the Microsoft UEFI CA (3rd-Party) certificate to boot encrypted systems with Secure Boot enabled. The transition requires the PBA to be re-signed with the 2023 certificate. WinMagic is preparing updated SecureDoc packages signed with the 2023 key and will deliver them through standard distribution channels (WSUS, Intune, direct download).
Q: What is the critical order of operations for SecureDoc deployment?
The order is CRITICAL and must not be reversed:
Install Windows KB5025885 FIRST (installs 2023 certificate into firmware)
Install SecureDoc 2023-signed version SECOND (PBA boots with 2023 key). This will be in the form of a patch.
There will be a 9.2 SR1 hotfix released for customers that have already upgraded to 9.2 SR1. All upgrades of SecureDoc after June 26th should be done with 9.2 SR1 hotfix 1 or above. Any version before that will require you to install the patch before you proceed with the upgrade of any SecureDoc Clients.
⚠ CRITICAL WARNING Deploying SecureDoc BEFORE KB5025885 will result in a "Secure Boot Violation" error and render the system unable to boot. This is not recoverable without physical intervention or complete system recovery. Always deploy in the correct order. |
Q: Does my SecureDoc Enterprise Server need to be upgraded?
The impact depends on the version you are currently running:
If you are on SecureDoc Enterprise Server 8.3 or below and have clients using Secure Boot, this will affect you. Our current patch is unlikely to cover your configuration. Our support for the 2026 certificate transition only extends to SecureDoc 8.6 clients and above.
For supported versions, the fix is a simple .exe patch. This updates the client with new binaries that have been signed with the 2023 certificates from Microsoft.
Important You must only perform the client-side upgrade after you have verified that all updated certificates have been received and activated. Pushing the patch before the BIOS is ready could cause boot failures. See the verification steps above. |
Technical Requirements and Verification
Q: What are the requirements for the Secure Boot transition?
Four key requirements must be met for a system to complete the transition successfully:
Requirement | Status Check |
Secure Boot Enabled | Check System Information or msinfo32 |
KB5025885 Installed | Check Windows Update history or registry |
WinRE Healthy | Run "reagentc /info" from admin prompt |
2023 Key Enrolled (verified using Microsoft script - optional) | Check BIOS/UEFI setup or use tools |
Q: How do I verify readiness at scale?
Enterprise-scale verification should use centralized tools that provide dashboards and reporting:
Method | Best For |
Microsoft Intune | Cloud-first, M365 organizations |
Active Directory + GPO | Large on-premises environments |
SCCM/ConfigMgr | Mixed on-premises and cloud |
Third-party tools (Qualys, Tenable, Rapid7, Automox) | Any environment |
Risks, Failures, and Troubleshooting
Q: What happens if a system is not ready by June 26, 2026?
Systems without the 2023 certificate will fail to boot if they attempt to install Secure Boot updates after June 26, 2026. This results in a "Secure Boot Violation" error that prevents the system from booting. Recovery requires physical access, manual BIOS intervention, or complete system redeployment. This scenario is not recoverable via remote management.
⚠ Not Recoverable Remotely Boot failures of this type require recovery media, manual BIOS updates, or complete system rebuild. Do not wait until after June 26, 2026 to prepare. |
OEM Resources and Support
For BIOS updates and Secure Boot transition support, hardware manufacturers provide guidance and firmware updates through their support channels. Microsoft maintains an official comprehensive resource with OEM-specific information and recommendations:
Original Equipment Manufacturer (OEM) pages for Secure Boot - Microsoft Support
https://support.microsoft.com/en-us/topic/original-equipment-manufacturer-oem-pages-for-secure-boot
This official Microsoft resource provides comprehensive guidance from all major OEMs including Dell, HP, Lenovo, and others. It includes compatibility matrices, BIOS update recommendations, enterprise deployment strategies, and links to OEM-specific support pages and tools. For OEM-specific deployment assistance, contact your hardware vendor's support team directly.
Linux Systems and Secure Boot 2026 Transition
Linux systems require different preparation than Windows, but most existing installations are not at risk. This section explains how Linux and fwupd handle the 2026 Secure Boot transition.
Q: Does the transition affect my Linux system?
Impact depends on your Secure Boot configuration:
Secure Boot disabled: No impact whatsoever. Your system is unaffected.
Secure Boot enabled, existing installation: Your system will continue to boot after June 2026. The expiration only affects signing new boot components, not running existing ones. For SDlinux only.
For customers running OSA installations: It's recommended that you check with your endpoint's OEM website to see when they will have updated BIOS updates that include the new certificates.
Secure Boot enabled, new installations: Self-signed configurations based on the expiring certificate will need to be updated for new installations.
Q: What is fwupd and LVFS? How do they relate to the 2026 transition?
fwupd and LVFS are critical infrastructure for delivering firmware updates to Linux systems:
fwupd
A system daemon (background service) that allows Linux to safely update device firmware without rebooting into a proprietary DOS tool or Windows. It works with UEFI Update Capsule and EFI System Resource Table (ESRT), which are international standards built into modern UEFI firmware. fwupd can update BIOS, UEFI firmware, Secure Boot certificates, network adapters, storage controllers, and other hardware components.
LVFS (Linux Vendor Firmware Service)
A free, vendor-neutral repository where hardware manufacturers upload firmware updates. LVFS hosts firmware for over 100 vendors (including Dell, HP, Lenovo, Acer, Google, and others) at no cost. When you run fwupd, it connects to LVFS to download the latest firmware metadata and updates for your hardware.
For the 2026 transition:
Hardware vendors use LVFS to distribute updated Secure Boot certificates (KEK and db entries) via fwupd. This is how Linux systems will receive the 2023 Secure Boot certificates. Users run fwupd (or their distribution's software manager) to automatically download and apply these firmware updates.
Key Advantage Before fwupd (pre-2020), Linux users had to boot into Windows, use DOS tools, or manually flash firmware with USB. Now, users can update firmware while running Linux, similar to Windows Update. fwupd has achieved a >99% success rate for 10+ million updates. |
Q: What Linux distributions are affected?
Major distributions have published guidance or are releasing updates. Refer to your preferred Linux distribution website to find out more.
Q: What do Linux administrators need to do?
Keep systems updated: Regular security updates include shim and bootloader fixes. Enable automatic updates or schedule regular patch cycles.
Enable fwupd/LVFS: Install and enable fwupd on all systems. It will automatically check for firmware updates from LVFS. Most distributions include it by default.
Use current installation media: For new Secure Boot installations after Q3 2025, use the latest distribution ISO. Old media may not boot on new hardware with only 2023 key.
Monitor vendor advisories: Subscribe to security updates from your distribution and hardware vendor.
⚠ Linux Warning Since the Microsoft Corporation UEFI CA 2011 (the 3rd-party key) expires in June 2026, Linux environments must transition to the 2023 Certificate Chain. If you do not update, your Linux kernels and SecureDoc/OSA bootloaders will be rejected by the BIOS. |
Planning and Next Steps
The immediate action is to audit your fleet to identify systems with Secure Boot enabled and plan the deployment of KB5025885 (Windows) and updated shims (Linux). For OEM-specific guidance, visit Http://microsoft.com/support/oem-secure-boot .
For WinMagic SecureDoc-specific questions, contact [email protected] .
11-80 Galaxy Blvd. Toronto, ON | M9W 4Y8 | Canada Tel: (905) 502-7000 | Fax: (905) 502-7001
Web: www.winmagic.com | Email: [email protected]
WinMagic provides the world's most secure, manageable and easy-to-use data encryption solutions. Compatible with all editions of Microsoft Windows Vista, 7, and 10 as well as Mac and Linux platforms, WinMagic's SecureDoc protects sensitive data stored on portable media such as laptops and removable media including USB thumb drives and CD/DVDs. Thousands of the most security-conscious enterprises and government organizations around the world depend on SecureDoc to minimize business risks, meet privacy and regulatory compliance requirements, and protect valuable information assets against unauthorized access. With a full complement of professional and customer services, WinMagic supports over three million SecureDoc users in approximately 43 countries. For more information, please visit www.winmagic.com, call 1-888-879-5879 or e-mail us at [email protected].
SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, and SecureDoc Central Database are trademarks of WinMagic Inc. Other products mentioned herein may be trademarks and/or registered trademarks of their respective owner.
© Copyright 2026 WinMagic Inc. All rights reserved. This document is for informational purpose only. WinMagic Inc. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.