Microsoft 2011 Secure Boot Certificate Expiration — Stone Branded Devices

Overview

Secure Boot is a UEFI firmware feature found in all modern computers which helps to ensure that only trusted and signed code runs at the earliest stages of system start-up (boot loader, firmware modules, option ROMs, etc.).
It relies on a chain of trust, built through certificates and keys:

• Platform Key (PK) – root trust, typically created by top level OEM.
• KEK (Key Exchange Key) – authorises updates to the databases that control what is allowed or revoked.
• DB (Allowed Signature Database) – holds certificates for trusted bootloaders, EFI applications, etc.
• DBX (Forbidden / Revoked DB) – holds signatures or hashes of known bad/compromised components.

The certificates in these DB / KEK variables include Microsoft’s certificates (among others).
These certificates have a lifetime which is determined by expiry dates hard coded into the certificate.
Once the certificates expire, affected systems will stop receiving updates for components like the Windows Boot Manager and Secure Boot components.
 

More detail can be found in these Microsoft articles, including exactly which certificates are being replaced and further advice on what steps you can take:

Windows Secure Boot certificate expiration and CA updates

Act now: Secure Boot certificates expire in June 2026

Secure Boot Certificate updates: Guidance for IT professionals and organizations

What is happening?

The Microsoft 2011 Secure Boot certificates are set to expire beginning in June 2026 and are being replaced by new certificates which were originally created in 2023 as part of a phased transition process controlled by Microsoft and its technology partners.

The below table details which certificates are expiring and their replacements.

What this means for you

• Operating Systems Impacted: Windows 10 and Windows 11 are among those affected by the certificate expiration.
• Core Risk: Secure Boot helps protect the system’s start-up process. With the 2011 certificate no longer valid, future updates to Secure Boot components and related infrastructure might not function as expected unless devices are prepared.
• Preparations should be made to update compatible systems.

Preparations and actions

• Asset inventory
  Identify all systems running Windows 10 or 11 (or dual-boot etc.), check whether Secure Boot is enabled (should be enabled for Microsoft update path to work) and ascertain the make/model of each device or motherboard and their current firmware version.
  During this phase it is prudent to confirm whether systems already include the 2023 certificates, as those produced in the past 1 to 2 years may already have them, helping organisations or users to narrow their focus.
  The following link is a package (Check UEFI Secure Boot KEK and DB) containing a script which can assist with this check by providing a visual confirmation and .CSV log file detailing make, model, BIOS version, Windows build, Secure Boot status and presence of Secure Boot certificates.
   
• Microsoft updates
  Microsoft have begun delivering updates for Secure Boot CA via Windows Update, which aims to greatly simplify the process for most devices.
  To allow Microsoft to manage secure boot updates organisations or users may be required to perform some configuration steps.
  Microsoft have published guidance on this topic.

  Secure Boot Certificate updates: Guidance for IT professionals and organizations
   

• Firmware updates
  Converge is collaborating with its partners to ensure the new 2023 certificates are being included in firmware updates on eligible Stone models, these are hardcoded and will available to reload should the secure boot variables ever be cleared.
  Systems that are air-gapped from the internet (and cannot receive Windows Updates), or have special security / compliance constraints, should be planned for manual update paths.
  Specifically for Stone desktop and workstation which contain Asus motherboards, we are also able to provide a tool which can add the new certificates to the Secure Boot variables and set them as active.
   
• Avoid resetting firmware defaults or disabling Secure Boot
  Secure Boot database changes (DB, KEK etc.) delivered via Windows Update are stored in firmware variables, certain actions (factory reset, resetting to defaults, disabling Secure Boot) might revert or clear some of the updated trust anchors.
   
• Test a representative sample group
  Before proceeding to deployment across a large estate of devices, testing on a small subset of each device model is advised.
  First verify new certificates apply correctly when delivered from Windows Update, and operating systems continue to behave as expected.
  For devices which are not being serviced by Windows Update, test firmware updates and/or the Asus Secure Boot 2023 Helper tool and confirm positive outcome.
  Pay attention to devices where BitLocker is enabled, ensure steps are taken to avoid BitLocker recovery by suspending BitLocker back up recovery keys to Microsoft accounts, Azure AD, or print/save them locally.
   
• Plan for the deadline (June / October 2026)
  Microsoft has set June 2026 as the date when many of the 2011 certificates expire.
  The Windows Production PCA 2011 certificate’s expiry is in October 2026 for part of the certificate chain.
  Develop a plan to address your individual needs as soon as possible.

How can we help?

Customers should be able to rely on secure Boot updates being distributed via Microsoft Windows Update as hardware platform owners have been collaborating with Microsoft over a number of years to share signed certificates, so following the configuration steps to enable this method of delivery should cover all or most devices.
We have also worked with our hardware partners to provide some scripts and tools which customer may find useful.

• Check UEFI Secure Boot KEK and DB - Version 1.0

Contained in this download is a PowerShell script that will identify the model of your device/motherboard, the current BIOS version, current build of Windows, Secure Boot status, a list of the current (active) Secure Boot KEK and DB variables and a list of the default (factory) Secure Boot variables.
This information is also logged to a CSV file.
Provided as a PowerShell script, this enables customers to choose how they implement its use should they wish too.

The download package contains help documentation detailing the function and usage and is compatible with any make or model of device.

• Asus Secure Boot 2023 Helper v1.0.8

This package will apply the Secure Boot 2023 KEK and DB updates as new Secure Boot variables.
This can be used as alternative (or as part of a blended approach) to having Microsoft deliver these updates through Windows Update.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing the function and command line switches.

When the tool is run from command line or Powershell, either directly by using scripts, it checks which 2023 certificates are already installed and applies any that are missing.
Customers are advised to test on a sample batch of devices to confirm operation.
 

• Stone Asus BIOS Updater V2.0

This download contains a collection of desktop client and workstation BIOS's, along with scripts and tools to automatically detect make/model and flash devices.
It is intended to be run within a Windows operating system and provides enough flexibility to allow users with knowledge PowerShell to build upon the functionality to suit individual needs.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing the function and usage.

When this package is run, it checks to ensure the model of device/motherboard is supported, selects the correct BIOS file, checks BitLocker status and temporarily suspends if active, updates the BIOS and logs to the results to CSV.
Customers are advised to test on a sample batch of devices to confirm operation.
 

• Stone ASUSBIOSUpdater_A01-B01.intunewin

This download is similar in function to the Stone Asus BIOS Updater V2.0, however it has been packaged as a Microsoft Intune application which customers are able to push out to targeted clients, where it will install and apply the firmware update.
It is intended for users who are familiar with managing devices, groups and applications in Microsoft Intune.
Please note this tool is only compatible with Stone devices containing Asus motherboards.

The download package contains help documentation detailing function and usage.
Customers are advised to test on a sample batch of devices to confirm operation.

Firmware support matrix

The below tables list product information and links to download firmware which include hardcoded Secure Boot 2023 certificates.
Updates to this information will continue to be added as they become available.

Stone Desktop

Stone AIO

Stone Mini

Stone Micro / Nano

Stone Notebook

Stone Workstation