Secure Boot Transition FAQ

Affected Operating Systems:

• Windows

Table of Contents

• General Information
• Dell Computers and Updates
• Communication and Customer Guidance
• Impact and Recovery
• Costs and Duration

General Information:

• What is the Secure Boot Key transition?
  • The current Microsoft 2011 Secure Boot certificates start expiring in June 2026. These will be replaced with a new 2023 certificate chain: KEK CA 2023, UEFI CA 2023, Windows UEFI CA 2023
• Are the 2023 certificates required to install Windows 11 25H2?
  • No. Devices can install 25H2 using the 2011 certificates.
• What happens when the current Secure Boot certificate expires?
  • The computer is still able to boot. However, with an expired certificate, the computer cannot get future updates to the bootloader or Secure Boot.
• What is Dell’s dual certificate strategy?
  • To ease the transition, Dell started shipping both 2011 and 2023 certificates on newly launched platforms in late 2024 and, by the end of 2025, on all sustaining platforms shipping from Dell factories. This allows enterprise customers with older images to boot images signed with either certificate.
• What is the difference between the Active and Default Secure Boot Database?
  • The Active Secure Boot database is the one your computer uses during startup to verify trusted software. The Default Secure Boot database is a backup set of original trusted keys that can be restored if needed.
    In short:
    • Active: Currently enforced (commonly updated from Windows Update)
    • Default: Factory reset version not used unless restored (updated using a BIOS update)
    Note: It is important that the default Secure Boot database is updated to the 2023 certificates. Otherwise, if Expert Key Mode is toggled, it may erase the Active variables coming from Windows Update.
• How does the Active database get updated?
  • The Active database can be updated using Windows Update. This avoids disruptions in security features like BitLocker. However, if Windows Update is not an option and the customer is an expert user, the Active database can be overwritten using a command in the BIOS to reset the keys, reference How To Update Secure Boot Active Database from BIOS for more information.
• How does the Default database get updated?
  • The Default database is updated using a BIOS FLASH.
• What happens when the current Secure Boot certificate expires?
  • The computer is still able to boot. However, with an expired certificate, the computer cannot get future updates to the bootloader or secure boot.

Back to Top

Dell Computers and Updates:

• Which Dell computers receive BIOS updates?
  • Dell updates:
    • Consumer and Commercial Platforms with an End of Service Life (EoSL) after December 31, 2025, shipping from Dell factories or in the field
  • Dell does not update:
    • Platforms with an EoSL before January 01, 2026 This means that, while Microsoft may make the new certificates available, the BIOS on these older computers may not support or retain them, especially if Secure Boot is toggled or BIOS defaults are reset.
• What is Dell doing to mitigate customer impact?
  • Deliver BIOS updates for supported platforms by the end of 2025
  • Coordinate with Microsoft on recovery tools
  • Publish Knowledge Base articles
  • Update bootable media
• What about the impact on third-party graphics cards and Linux computers?
  • Microsoft has created two new 2023 third party CAs to replace the expiring 2011 third party CA. In other words, the Microsoft Corporation UEFI CA 2011 has been bifurcated into the Microsoft UEFI CA 2023 (for bootloaders) and the Microsoft Option ROM UEFI CA 2023 (for Option ROMs). And updates have already been made to Microsoft’s Hardware Device Center (HDC) to support signing of third-party drivers that need these new 2023 CAs. Although partners can start signing with the new 2023 CAs in October 2025, Microsoft and OEMs continue to support the existing Microsoft Corporation UEFI CA 2011 until the ecosystem has had sufficient time to migrate over to the new 2023 CAs.
• How does an enterprise customer obtain a new 2023 certificate on their current fleet of devices?
  • Enterprise customers have the option of allowing Microsoft to manage the updates to their devices through Windows Update (WU) or, alternatively, manually applying the updates to fleet devices themselves. Guidance for the latter are available here: Windows devices with IT-managed updates , in addition, Dell pushes BIOS updates to in-service devices, which can be used to populate the active database. For instructions reference How To Update Secure Boot Active Database from BIOS.
• Are there any specific hardware requirements for obtaining this certificate?
  • Devices must support Secure Boot and be compatible with UEFI firmware updates. Dell is validating platforms internally and has published a list of supported computers in the Dell Knowledge Base article Microsoft 2011 Secure Boot Certificate Expiration.

Back to Top

Communication and Customer Guidance:

• How is Dell communicating this to customers?
  • Dell has published a Microsoft 2011 Secure Boot Certificate Expiration that is updated with Dell’s list of platforms ready for update. Dell will deliver additional messaging aligned with Microsoft’s public guidance as necessary.
• What should enterprise customers do now?
  • Plan for BIOS updates before the Windows 25H2 rollout, using the list of Dell devices maintained in Microsoft 2011 Secure Boot Certificate Expiration.
  • If preferring to manage devices in-house (rather than through WU), enterprises can already begin updating devices with the new 2023 CAs, per the guidance here: Windows devices with IT-managed updates .
  • Report any update problems to Dell.
• How does a customer know if they have a 2011 or 2023 certificate?
  • Microsoft plans to add notifications to Windows for end-users. Also, users can run the following PowerShell command to see whether they have the 2011 or 2023 CAs (methodology coming in a future knowledge base article).
• How does a customer know if their certificate has or is due to expire?
  • Computers with any of the three certificates (CAs) due to expire in 2026:

    2011 CAs	Expiration Date
    Microsoft Corporation KEK CA 2011	June 24, 2026
    Microsoft Windows Production PCA 2011	October 19, 2026
    Microsoft Corporation UEFI CA 2011	June 27, 2026

• If a customer has a 2023 certificate, do they need to act?
  • No. If both the Windows UEFI CA 2023 and the Microsoft Corporation KEK 2K CA 2023 certificates are present, no further action is required.
• Can a customer move to a 2023 certificate if their devices are running Windows 10 and have or are about to take out an extended security updates (ESU)?
  • Yes, Microsoft is updating active certificates for Windows 11 devices in the field and will update Windows 10 devices if the device:
    • Is running Windows LTSC 2021
    • Has an activated ESU license

Back to Top

Impact and Recovery:

• What is the impact of an expired certificate?
  • Once Secure Boot certificates expire (starting June 2026), computers continue to boot (with Secure Boot on). However, the computer no longer receives updates for the Windows Boot Manager and Secure Boot components using Windows Update, putting them in a compromised security state.
• What happens if Secure Boot is disabled or toggled on a device?
  • Sometimes, disabling Secure Boot can erase all active UEFI variables, which means any 2023 CAs already being used on the device could get wiped out (and later replaced with older 2011 CAs from the default firmware if it was never updated). On Dell devices, this occurs if a user selects the Expert Key Mode option in the BIOS menu. In this case, the active variables get pulled from the default firmware.
    Note: If BitLocker is enabled on the device, you may be prompted to enter the BitLocker recovery key.
• What tools are available for recovery?
  • Microsoft has released a manual recovery tool, but it has limitations. Automated tools to assist customers are still being developed.

Back to Top

Costs and Duration:

• Is there a cost associated with the new certificates?
  • There is no direct cost for receiving the 2023 certificates using Windows Update, and the 2023 CAs are already available for free at Windows Secure Boot Key Creation and Management Guidance . However, BIOS updates for out-of-service devices may require manual intervention or service engagement, which could incur costs depending on support agreements.
• What is the duration of the new certificate?
  • The 2023 certificates are valid for 15 years (2038).

Back to Top