Microsoft 2011 Secure Boot Certificate will expire on June 2026. This may result on devices not been able to perform iPXE with Secure boot enabled.
Secure Boot is a critical security feature in UEFI firmware that ensures only verified, trusted software loads during a device’s boot process. Since Microsoft introduced Secure Boot with Windows 11 (and later back-ported support to Windows 10 and 8.1), every certified Windows PC has shipped with the same Microsoft signing certificates stored in the KEK (Key Exchange Key) database and the db (allowed signature database). These original certificates are now scheduled to expire in 2026.
Official Microsoft documentation about the Secure boot change.
Windows Secure Boot certificate expiration and CA updates - Microsoft Support
Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog
On version 9.3.311 of the KACE System Deployment Appliance, we have updated our certificates to address this situation and make the KACE SDA future-proof, ensuring full compatibility with the upcoming changes.
More details about this hotfix can be found here.
Download the hotfix by clicking here.
The Secure Boot certificate database must be updated through a BIOS/firmware update provided by the equipment OEM (Dell, HP, Lenovo). If the certificate is not updated, Secure Boot will no longer function correctly with PXE booting.
Here is documentation from the OEMs regarding this situation:
Microsoft 2011 Secure Boot Certificate Expiration | Dell US
How To Update Secure Boot Active Database from BIOS | Dell US
Guide to Secure Boot Modes - Lenovo CDRT Docs Site
HP Commercial PCs - Prepare for new Windows Secure Boot certificates | HP® Support
Surface Secure Boot Certificates - Microsoft Support
Note:
In some cases, affected devices may require a one-time manual intervention: entering the BIOS/UEFI setup and selecting the option to reset or clear the Secure Boot keys before the system will boot successfully.
