Microsoft Secure Boot 2011 Certificate Expiration Impact on Dell PowerEdge Servers

Secure Boot certificates are used as part of the Secure Boot process which helps protect systems from bootkits. A bootkit is a type of malware designed to infect a boot loader or boot process, enabling malicious code to run on the system.

Expired certificates do not impact already installed OS—systems continue to boot.

Systems with expired certificates may experience:

• Inability to receive Secure Boot-related updates
• Potential boot failures if Secure Boot is disabled or BIOS defaults are reset
• Increased vulnerability to bootkit malware

Affected products:

• Dell PowerEdge servers running Windows Server 2012 and later
• Platforms impacted include 14th, 15th, and 16th Generation Server platforms.
• 17th Generation Server platforms already contain the new certificates

Microsoft is retiring the 2011 Secure Boot certificate chain (KEK CA 2011, UEFI CA 2011, Windows UEFI CA 2011). These certificates expire starting June 2026, requiring transition to the 2023 certificate chain.

Latest official Microsoft blog announcement: Act now: Secure Boot certificates expire in June 2026

• Dell plans to release BIOS updates for 14th, 15th, and 16th Generation Server platforms by end of 2025
• BIOS updates include the 2023 Secure Boot certificates
• Microsoft pushes updates to the active Secure Boot database using Windows Update
• Avoid resetting BIOS defaults or disabling Secure Boot
• 12th and 13th Generation Server platforms will not receive updates due to end-of-service status

More detail from Microsoft can be found in the Microsoft KB article here, including certificate specifics: Windows Secure Boot certificate expiration and CA updates

Begin examining internal assets and processes to ensure that they are ready for the upcoming Microsoft certificate change. Microsoft provides some guidance on how to prepare for the upcoming change here: Windows devices for businesses and organizations with IT-managed updates

Azure and Enterprise Environments:
For enterprise and cloud-hosted systems, Microsoft provides additional tools and guidance to support the Secure Boot certificate transition:

• Bootable Media Updates: Updating Windows bootable media to use the PCA2023 signed boot manager - Microsoft Support
  Use the PowerShell script Make2023BootableMedia.ps1 to inject 2023 Secure Boot certificates into WinPE, ISO, or USB media.
• Azure Trusted Launch VMs: Secure Boot UEFI keys - Azure Virtual Machines | Microsoft Learn
  Azure supports custom UEFI Secure Boot key injection using the Azure Compute Gallery and ARM templates. This is useful for organizations requiring custom PK, KEK, DB, or DBX keys.
• Manual UEFI Updates: Set-SecureBootUEFI (SecureBoot) | Microsoft Learn
  Advanced users can use the Set-SecureBootUEFI PowerShell cmdlet to manually update Secure Boot variables. This requires signed packages and administrative privileges.

These tools are intended for IT-managed environments and should be used with caution. Dell Technologies recommends reviewing Microsoft’s official documentation before implementing any manual or scripted changes.