Yesterday was Patch Tuesday, and I read about Secure Boot changes in that mix. I was curious to see if MS had revoked any CA-2011 boot certificates yet. You can see the post Patch Tuesday CA-2011 certs still kickin’, from the output of the Garlin check script (v.2026.06.08). So I went off looking, specifically to check expiration dates. Here’s what I found…

If Post Patch Tuesday CA-2011 Certs Still Kickin’, When Is Revocation?

I asked Google AI to tell me about expiration dates for the three Microsoft Secure Boot 2011 certificates. Here’s what’s coming down the pike:

• Microsoft Corporation KEK (Key Exchange Key) CA 2011 expires June 24, 2026. Microsoft Corporation KEK 2K CA 2023 replaces that certificate going forward.
• Microsoft UEFI CA 2011 expires June 27, 2026. Microsoft UEFI CA 2023 replaces it, and it’s used to sign 3rd-party bootloaders.
• Microsoft Windows Production PCA 2011 expires on October 19, 2026. Microsoft UEFI CA 2023 also replaces this as well.
• In addition, MS is adding the Microsoft Option ROM UEFI CA 2023 cert to the mix. As the name says, it’s used to sign third-party option ROMs.

Copilot confirms this info, and it’s also covered in an MS Support Note entitled “Windows Secure Boot certificate expiration and CA updates.”

Then End Is Near, But Not Yet Here…

Thus, it looks like MS has decided not to anticipate the two closest upcoming revocation dates, scheduled for the final Wednesday (6/24) and Saturday (6/27) of this month. I’d wondered about that. If MS issues a Preview CU for July on June 30 (as it often does) we may see it then. Stay tuned: I’ll keep you posted.