Understanding the Secure Boot Certificate Challenge
Microsoft has scheduled the expiration of three critical certificates in the UEFI Secure Boot trust chain for 2026. The KEK CA-2011 and UEFI CA-2011 certificates expire in June 2026, while the Windows Production PCA-2011 certificate expires in October 2026. While devices won't stop booting after these expirations and standard Windows updates will continue, they will lose the ability to receive new Secure Boot security protections for the early boot process. This creates a significant security gap for organizations managing large device fleets, particularly for older hardware that may not support the certificate injection required for the 2023 replacement certificates.
Implementing Automated Monitoring and Remediation
NinjaOne addresses this challenge through a community-developed script that automates certificate status monitoring and remediation across entire device fleets. The solution involves creating custom fields to display certificate status, importing and configuring the audit script, and establishing automated weekly reporting to track compliance. The script can run in audit mode for read-only assessment or in active mode to enable Windows Update opt-in, configure registry keys, set telemetry levels, and trigger scheduled tasks. Organizations can create filtered reports to identify non-compliant devices and prioritize remediation efforts based on device make, model, and warranty status. The approach provides visibility into which devices require firmware updates to support the new certificates and which legacy devices may be permanently unable to receive future Secure Boot security updates due to manufacturer end-of-support.
