Expiring Microsoft Secure Boot Keys May Block DBX Updates on Legacy Devices

On June 27, 2026 the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 expire (with Windows Production PCA 2011 expiring in October 2026), which will not prevent devices from booting but will stop KEK‑authorized DB/DBX updates via Windows Update; devices that remain on the 2011 chain will be unable to receive new Secure Boot protections or revocations and thus remain permanently vulnerable to bootkit-style threats (e.g., BootHole, BlackLotus) unless administrators apply OEM firmware updates, enroll the 2023 certificates, re-sign Linux shim builds, and follow Microsoft’s migration guidance.