On 8 May 2026, every UK SME running a Windows estate is staring at the same calendar entry. In 42 days, on 19 June 2026, the cryptographic spine that has signed every Windows boot path on Earth for the last fifteen years — the Microsoft 2011 Secure Boot certificate chain — starts to expire. Devices will still turn on. Windows Update will still pull cumulative updates. BitLocker will not re-prompt. But from that date forward, any machine that has not been moved to the new 2023 certificate chain will be quietly locked out of every future Secure Boot security update Microsoft ships: no new Boot Manager updates, no new DBX revocations, no mitigations for boot-level vulnerabilities that surface in 2027, 2028 or beyond.

This is not a Windows 10 cliff. It is not a paid Extended Security Update. It does not need new hardware or a new licence. The 2023 chain is free, and Microsoft has been shipping it inside cumulative updates since October 2025. What it does need is engineering time, an honest inventory of every Windows endpoint and server in your estate, and a deployment plan that lands on the right side of Patch Tuesday on 12 May 2026 — according to Help Net Security’s May forecast, the last comfortable patch window before the June expiry. This is the full UK SME action plan: what is changing, what stops working, the four supported deployment paths, the PowerShell verification kit, the Cyber Essentials v3.3 Danzell angle, and a 42-day rollout sequence keyed to the 0x5944 registry value and the \Microsoft\Windows\PI\Secure-Boot-Update scheduled task.

Days to first cert expiry on 19 June 2026

159

Days to the 14 October Production PCA expiry

Microsoft 2011 CAs being replaced by 2023 successors

£0

Licence cost — the 2023 chain ships free in cumulative updates

What Microsoft has actually announced

The Microsoft IT Pro team and the wider Windows engineering organisation have, over the last seven months, published the most detailed and most accessible certificate-rotation plan in the platform’s history. The headline is straightforward: four certificates that have signed Windows Boot Managers, third-party UEFI bootloaders, Option ROMs and the DBX revocation lists since 2011 are reaching their fifteen-year design life and rolling over to a parallel set of 2023 certificates. The pivot points are calendar dates, not telemetry-triggered events, and once the dates land they will not move.

Two of the four expiring CAs — Microsoft Corporation KEK CA 2011 (the Key Exchange Key that signs DB and DBX updates pushed by Microsoft) and Microsoft UEFI CA 2011 (the third-party CA that signs Linux shims, GRUB and Option ROM signatures for network cards, RAID controllers and discrete GPUs) — expire in June 2026. The third CA, Microsoft Windows Production PCA 2011 (the cert that signs the Windows Boot Manager itself), follows on 14 October 2026. Each one is being replaced by a named 2023 successor stored in either KEK or DB on the device’s firmware: Microsoft Corporation KEK 2K CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, and Windows UEFI CA 2023. The Option ROM bifurcation is new — one 2011 CA is being replaced by two 2023 CAs to cleanly separate operating-system bootloader signing from peripheral firmware signing.

Microsoft began shipping the 2023 CAs as part of October 2025 cumulative updates, which is when the chain-of-trust transition started. The January 2026 cumulative updates moved the rollout from optional to phased automatic deployment for ‘high-confidence’ devices — estates whose hardware vendors and firmware versions Microsoft has verified work cleanly with the new chain. The April 2026 cumulative updates added a Secure Boot certificate status panel inside the Windows Security app, so end users and IT administrators can see, on a single screen and without PowerShell, whether a device is on the 2011 or 2023 chain. The IT pro landing page is https://aka.ms/GetSecureBoot and is the single source of truth for the rollout.

The DBX revocation cliff is the part most write-ups miss

The cliff is not just the certificate clock. After June 2026, Microsoft will publish a DBX revocation that explicitly blocks any bootloader signed only with Microsoft UEFI CA 2011, and that DBX update will reach devices through Windows Update. From that point a 2011-only device is locked out of new third-party bootloaders — new Linux ISOs that ship with shims signed under the 2023 CA, security recovery tools, and any Option ROM firmware that has been re-signed under the 2023 chain. The local UEFI clock thinking the certificate is still valid does not save you. The DBX revocation is the hard cliff, not the calendar.

The 2025-2026 timeline at a glance

October 2025 — 2023 CAs first ship

Microsoft includes the four new 2023 CAs in October 2025 cumulative updates for every supported Windows version. The chain-of-trust transition begins. Eligible estates that take all updates have the new chain present from this date.

January 2026 — phased automatic deployment starts

January cumulative updates flip the certificate update from opt-in to phased automatic for high-confidence devices. From this date, devices not yet on the 2023 chain are an explicit IT action item, not a passive wait.

April 2026 — Windows Security status panel arrives

April cumulative updates add a Secure Boot certificate status panel inside the Windows Security app. Administrators can see at a glance which devices are on the 2011 chain versus the 2023 chain without resorting to PowerShell or registry inspection.

12 May 2026 — the last comfortable Patch Tuesday

Help Net Security’s May 2026 forecast labels next Tuesday the last comfortable deployment window. After 12 May, you have one more June Patch Tuesday before the cliff — but waiting until then forces an emergency rollout, not a phased one.

19 June 2026 — KEK 2011 + UEFI CA 2011 expire

Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 reach their fifteen-year expiry. Devices still boot, but the 2011 chain is now stale. New DBX revocations and new third-party bootloader signatures cannot be trusted on a 2011-only device.

Post-June 2026 — DBX actively revokes UEFI CA 2011

Microsoft pushes a DBX update that explicitly blocks bootloaders signed only with Microsoft UEFI CA 2011. Once that DBX reaches a device, any old-chain Linux shim, recovery tool or Option ROM is blocked even if the firmware clock still considers the cert valid.

14 October 2026 — Windows Production PCA 2011 expires

The cert that signs the Windows Boot Manager itself reaches end of life. From this date, future Windows feature updates that ship a Boot Manager signed only with the 2023 chain will fail Secure Boot on any device that still trusts only the 2011 chain.

How urgent is each certificate, in days

Translating the above into a single ranked view of remaining time helps prioritise the rollout. The 19 June expiries are the binding constraint. The DBX revocation window is a Microsoft-defined cadence rather than a single date, but the published guidance places it within a few weeks of the June expiries. The 14 October Production PCA is the longest pole in the tent but it is the one that breaks future feature updates, not just future security updates.

KEK CA 2011 (June expiry)

42 days

UEFI CA 2011 (June expiry)

42 days

DBX revocation window opens

~50–80 days

Production PCA 2011 (Oct expiry)

159 days

12 May Patch Tuesday window

4 days

June Patch Tuesday (last before cliff)

~32 days

Catch-up runway since Oct 2025

~210 days available

What still works after June — and what does not

One of the most useful framings of this rollover, and the one most worth communicating to non-technical leadership in your SME, is the difference between ‘continues working’ and ‘stops getting updates’. The 2011 chain expiring does not brick devices. It does not prevent Windows from booting. It does not stop the Defender engine from updating, BitLocker from unlocking the volume, or Windows Update from pulling cumulative updates. Standard application code-signing chains are completely unaffected — this is UEFI / pre-OS code only.

What does change is the device’s ability to receive future Secure Boot updates. After June, a 2011-only device will be unable to install new Boot Manager updates Microsoft ships in subsequent cumulative updates, will not pull new DBX revocations, and once Microsoft pushes the post-June DBX revocation of UEFI CA 2011, will refuse to load third-party bootloaders signed only with the old CA. New Linux distribution releases that use a 2023-signed shim, security tools that ship their own bootloader, and any Option ROM firmware updates re-signed under the 2023 chain will all be blocked. The donut below is the cleanest visual we have for this divide.

Approximately 55% of capability continues working post-June (boot, Windows Update, BitLocker, Defender, application signing). The remaining 45% is on the new-update side that requires the 2023 chain to keep flowing — new Boot Manager updates, new DBX revocations, new third-party bootloaders, future feature-update Boot Managers signed under the 2023 CA.

How ready is your estate, honestly

Before you push any registry value or stage any GPO, the highest-leverage action is an honest readiness assessment. The score grid below is the one Cloudswitched uses with new IT Support clients in the first conversation. Each row is binary in spirit but expressed on a Red / Amber / Green scale because in practice an SME estate is rarely all the way to one extreme. If three or more rows score Red, the 12 May Patch Tuesday is your ‘decision’ window, not your ‘deploy’ window — meaning you spend the next four days doing inventory, not certificate updates.

Secure Boot 2023 readiness self-assessment

Complete inventory of every Windows endpoint and server, with version and build

Red if missing

Every device on Windows 10 1607+ or Windows 11 21H2+ (i.e. eligible for the 2023 chain)

Amber if any 1507/1511 LTSB still in scope

Cumulative updates from October 2025 onwards installed on every device

Red if any device is more than three CUs behind

January 2026 CU installed (when phased auto-deployment of 2023 CAs began)

Amber if missing on more than 10% of fleet

April 2026 CU installed (status panel in Windows Security app)

Amber if missing on more than 5% of fleet

2023 CAs visibly present in DB / KEK on every device (verified by PowerShell or Windows Security)

Red if not yet checked anywhere

DBX rollback / recovery plan documented and tested

Red if no plan exists

Cyber Essentials v3.3 A2.4 evidence updated to reference the 2023 chain

Amber until renewal cycle

What it costs in engineering time, by estate size

The licence column of the cost table for this rollover is mercifully simple: the 2023 CAs ship inside ordinary cumulative updates, so the answer is £0 across the board for every supported version. There is no Extended Security Update equivalent, no per-device fee, and no Microsoft 365 add-on required. The cost is entirely engineering time, and the curve scales with estate size and with how distributed and how heterogeneous your hardware is. A 30-endpoint single-site SME with Microsoft 365 Business Premium and Intune is a genuinely different shape of project from a 250-endpoint multi-site SME with mixed Surface, Dell and HP hardware on a slow firmware patching cadence.

Estate size	Engineering time (planning + rollout + verification)	Recommended deployment path	Licence cost
5–25 endpoints, single site	Approximately 4 hours	Registry plus scheduled task per device, run during a quiet morning	£0
25–100 endpoints, single or two-site	Approximately 1 day	Group Policy Preferences pushing the 0x5944 registry value, plus PowerShell remoting for verification	£0
100–500 endpoints, multi-site	2–4 days	Intune Settings Catalog Secure Boot policy, ring-deployed (pilot ring, broad ring, exception ring)	£0
500+ endpoints, mixed Intune/SCCM	1–2 weeks (project shape)	Hayes Jupe SCCM task sequence pattern, plus Intune Settings Catalog for cloud-managed devices, plus exception register for legacy hardware	£0
Servers (2012 ESU through 2025)	Approximately 2 hours per server cluster, change-controlled	Manual registry / scheduled task during a planned maintenance window, with cluster-level reboot orchestration	£0 (free even on 2012 ESU paths)

Three deployment postures — and the failure mode of each

The choice you actually face is not technical. It is a posture choice between waiting and seeing, phasing the rollout before 12 May Patch Tuesday, or holding back to a single big-bang deployment in late June. Each one has a different failure mode, a different cost, and a different conversation with leadership and with your cyber insurance renewal questionnaire. The Cloudswitched recommendation, set out under the ‘Phase before 12 May’ column, is the one most likely to leave you with the smallest support load and the cleanest evidence for Cyber Essentials.

Wait and see

‘Microsoft is auto-deploying it — surely it will sort itself out’

Phased auto-deployment only covers high-confidence devices. Fleet outliers are excluded by design.
No visibility into which devices have actually flipped. The April status panel helps, but no one is opening it.
June arrives and a meaningful percentage of the estate is still 2011-only. Now you are doing emergency response, not planned ops.
Cyber Essentials v3.3 A2.4 evidence is incomplete. Insurance questionnaire scores the estate as exposed.

Phase before 12 May Patch Tuesday

Recommended — pilot Friday, broad rollout Monday and Tuesday

Pilot ring of 5–10% of devices on Friday 9 May. Validate via Get-UEFICertificate and Windows Security app.
Broad rollout Monday 12 May aligns with Patch Tuesday so the reboot is bundled with the regular CU reboot users already expect.
Exception ring for any device that fails the pilot. You have until 19 June to resolve, with a clear remaining-budget number.
Cyber Essentials evidence and insurance questionnaire both pass cleanly. Audit trail is short and chronological.

Big-bang in late June

‘We’ll do it just before the deadline’

All deployment work compressed into a 5–7 day window with zero room for hardware-specific failure.
Reboots are not aligned with normal patch reboots, so users notice and helpdesk volume spikes.
Any failure means the device misses 19 June, ends up on the wrong side of the DBX revocation, and now needs out-of-band remediation.
Late June is also peak holiday cover season for UK SMEs — the worst possible time to be dependent on senior engineers.

The 10-step rollout plan, in order, with dependencies

This is the sequence a managed IT Support team would run for a typical 50–200 endpoint UK SME starting today. The percentages on the progress bars represent how much of the work the average estate has typically already done by 8 May 2026 — based on Microsoft’s phased rollout signals, not a sourced UK statistic. If your numbers are materially worse than these, treat them as a calibrated warning, not a benchmark.

Step 1 — Inventory every Windows endpoint and server, with build, edition, OEM and last-CU date

Most estates have an inventory but few have build-level granularity. Aim for 100% before doing anything else.

Step 2 — Confirm every device is on a supported Windows 10/11 build and a supported Windows Server build

Windows 10 must be 1607 or later. Windows 11 must be 21H2 or later. Servers must be 2012 with ESU or above.

Step 3 — Bring every device current to at least the April 2026 cumulative update

Includes the Windows Security status panel. Without this, your verification step is a PowerShell-only path.

Step 4 — Open the Windows Security app on a sample of devices and inspect the Secure Boot status

If the panel reports the 2011 chain only, this device is in the action set. If it reports the 2023 chain present, verify with PowerShell anyway.

Step 5 — Choose your deployment path: Registry, GPO Preferences, Intune Settings Catalog, WinCS APIs, or SCCM task sequence

Cloud-only Intune-managed estates: Settings Catalog. Hybrid: GPO Preferences. SCCM estates: the Hayes Jupe pattern. Standalone: Registry.

Step 6 — Stage a pilot ring of 5–10% of devices, biased toward representative hardware

Make sure the ring covers every distinct OEM and every distinct firmware family. A pilot of five identical Dell OptiPlex teaches you almost nothing.

Step 7 — Push the registry value 0x5944 and trigger the scheduled task — verify after reboot

Use Confirm-SecureBootUEFI followed by Get-UEFICertificate. Confirm all four 2023 CAs are present in DB / KEK.

Step 8 — Broad rollout aligned to 12 May Patch Tuesday, ring by ring

User reboots are bundled with the regular CU reboot. Helpdesk impact is proportionally lower.

Step 9 — Build an exception register for devices that failed the pilot or broad rollout

Old hardware with non-Microsoft custom KEKs, hardware where the OEM has not shipped a 2023-aware firmware update, devices with disabled Windows Update.

Step 10 — Update Cyber Essentials v3.3 A2.4 evidence and the cyber-insurance renewal questionnaire

Update the evidence pack to reference the 2023 chain explicitly. Note the date of last verification per device.

Cyber Essentials v3.3 Danzell exposure if you do nothing

The UK Cyber Essentials v3.3 control set, published as the Danzell update on 27 April 2026, includes A2.4 covering boot security. The control text reads, in our paraphrase, that boot processes must be ‘secure boot enabled and supported by current vendor security updates.’ A device on the 2011 chain after 19 June can still report Secure Boot as enabled in the firmware menu, but it has been cut off from current vendor security updates — specifically the new DBX revocations Microsoft will publish under the 2023 chain. That is, on our reading of the control text, an A2.4 gap. The gauge below visualises the exposure trajectory if you take no action.

High

Cyber Essentials v3.3 A2.4 exposure if no action is taken before 19 June 2026, on Cloudswitched’s reading of the control text. The needle pegs to high once the cert clock turns over because there is no longer a path to receive new DBX revocations.

The four supported deployment paths, with the exact registry values

Microsoft documents four supported paths to apply the 2023 CAs. Each one ends up writing the same registry value and triggering the same scheduled task. The choice of path is operational, not technical — pick the one that matches how you already manage Windows policy in your estate.

The four supported paths and the exact values

1. Registry — set HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 (DWORD). Then run the scheduled task \Microsoft\Windows\PI\Secure-Boot-Update. Reboot. Re-run the scheduled task. Verify. This is the path Microsoft documents first and it is what every other path ultimately invokes.

2. Group Policy / Intune Settings Catalog — push the same AvailableUpdates DWORD value of 0x5944 through GPO Preferences and Registry, or via Intune’s Settings Catalog Secure Boot policy. The Settings Catalog has a dedicated Secure Boot Certificate Update profile that abstracts the registry write away from the administrator.

3. WinCS APIs (Windows Customer Self-help) — the programmatic path used by OEMs and large fleet management tools. Most UK SMEs do not need this directly; their managed-services partner or RMM platform might.

4. SCCM / MECM — covered by the published Hayes Jupe task sequence pattern. Recommended for estates with established imaging pipelines and a strong preference for the SCCM compliance reporting model. The same registry value and the same scheduled task path are used inside the task sequence.

The PowerShell verification kit

Whichever deployment path you choose, the verification step is identical. It is also the step most often skipped — the registry write returns success even if the scheduled task subsequently fails, so verifying the actual cert state on the device is the only honest signal. The kit below is small enough to paste into a remote PowerShell session and big enough to be definitive. After reboot, re-run Get-UEFICertificate and confirm all four 2023 CAs are present.

Three commands every IT manager should know this month

Confirm Secure Boot is on: Confirm-SecureBootUEFI

List every CA in DB / KEK / DBX: Get-UEFICertificate | Format-Table Database, Subject, NotAfter (uses the community Get-UEFICertificate script — see source 10).

Trigger the certificate update task explicitly: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name AvailableUpdates -Value 0x5944 -Type DWord followed by Start-ScheduledTask -TaskPath "\Microsoft\Windows\PI\" -TaskName "Secure-Boot-Update" followed by a Restart-Computer. After the reboot, re-run Get-UEFICertificate and confirm the four 2023 CAs are present in DB / KEK.

Your 42-day plan in five steps, at a glance

#	Action	Owner	By when
1	Build a complete inventory: every Windows endpoint and server, with build, edition, OEM, and last-CU date.	IT lead	Friday 9 May 2026
2	Bring every device current to at least the April 2026 CU. Address any device more than two CUs behind.	IT lead	Saturday 10 May 2026
3	Pilot the 0x5944 registry value plus scheduled task on a representative ring of 5–10% of devices. Verify with Get-UEFICertificate.	IT lead / partner	Sunday 11 May 2026
4	Broad rollout via GPO Preferences or Intune Settings Catalog, aligned to 12 May Patch Tuesday. Bundle reboot with the CU reboot.	IT lead / partner	Tuesday 12 May 2026
5	Build the exception register, document Cyber Essentials v3.3 A2.4 evidence, and verify the four 2023 CAs are present on every device.	IT lead	Friday 16 May 2026

How this fits with the rest of your in-flight Windows estate work

This rollover does not happen in isolation. Every UK SME running Windows is currently juggling at least three other estate-level workstreams, and Secure Boot 2023 has touchpoints with each. The most important one to be precise about is the Windows 10 14 October 2026 ESU cliff — same calendar quarter, same Windows estate, completely different event. Conflating them is the most common briefing-paper error in this space, and it leads to the wrong budget conversation with leadership.

Our prior coverage of the broader Windows estate transition lives at the Windows 10 October 2026 final cliff piece, which sets out the ESU side of the estate decision. The Cyber Essentials v3.3 control set that the A2.4 boot security control sits inside is detailed in the Cyber Essentials v3.3 Danzell deadline brief. For context on Microsoft platform reliability over the same window, our Microsoft 365 / Azure outage wave 2026 piece sits alongside this rollout. The wider patching cadence picture — this Patch Tuesday is not just the Secure Boot Tuesday — is in the Palo Alto PAN-OS zero-day action plan, which is sister coverage of this week. The breach-rate framing for leadership conversations is in the UK Cyber Security Breaches Survey 2025/2026 SME wake-up call piece. And the broader UK government posture on SME cyber resilience is set out in the UK cyber resilience pledge / CyberUK 2026 piece.

Need a managed Secure Boot 2023 rollout for your London or Home Counties SME?

Our IT Support team runs Secure Boot 2023 rollouts as a packaged engagement: inventory, pilot ring, broad rollout aligned to your next Patch Tuesday, exception register and Cyber Essentials evidence pack. Fixed-fee for estates up to 250 endpoints. Phased for larger estates. Every reboot bundled with the cumulative update reboot users already expect.

Talk to IT Support

Frequently asked questions on the 2026 Secure Boot rollover

Will my PC still boot after 19 June 2026 if I do nothing?

Yes. The certificate expiring does not prevent the device from booting. Secure Boot stays enabled, the Windows Boot Manager still loads, the operating system still starts, BitLocker still unlocks, Windows Update still pulls cumulative updates, and Defender continues to receive intelligence updates. What stops working is your device’s ability to receive new Secure Boot updates — new Boot Manager updates, new DBX revocations, and trust for new third-party bootloaders signed under the 2023 chain. After Microsoft publishes its post-June DBX revocation of UEFI CA 2011, any third-party bootloader signed only with the old CA will be blocked even if the local UEFI clock thinks the cert is still valid.

Do I need new hardware to receive the 2023 chain?

No. The 2023 CAs ship via ordinary Windows cumulative updates. They reach DB and KEK through the normal Windows Update path. Any device on Windows 10 1607 or later, Windows 11 21H2 or later, or Windows Server 2012 with ESU through Windows Server 2025 is eligible. The eligibility list specifically includes Windows 10 LTSB and LTSC variants on 1607-and-up, plus Windows 11 Home, Pro, Enterprise, Education, IoT Enterprise, Multi-Session and SE editions. If your hardware boots one of those Windows versions, it can receive the 2023 chain.

Does this need a paid Microsoft licence or an Extended Security Update subscription?

No. The 2023 CAs are a free part of cumulative updates for every supported Windows version above. There is no per-device fee, no Microsoft 365 add-on, and no Extended Security Update licence required — not even on the Windows Server 2012 ESU path, which already includes the certificate update inside its ESU cumulative updates. The cost of this rollover is engineering time, not licence spend. That is also why we mark licence cost as £0 across every row of the cost table earlier in this article.

What about Windows 10 22H2 specifically — does the 14 October 2026 ESU cliff change this?

Windows 10 22H2 is on the supported list for the 2023 CA update. The Secure Boot rollover and the 14 October 2026 Windows 10 end-of-support cliff are two different events on the same calendar quarter and they should not be conflated. A Windows 10 22H2 device that has received the 2023 CAs in May or June still becomes unsupported on 14 October unless it is on a Windows 10 ESU path. Conversely, a Windows 10 22H2 device on ESU still needs the 2023 CAs to keep receiving Secure Boot updates after June. They are independent. Treat them as two separate workstreams that happen to land in the same Windows estate.

What about my Linux dual-boot, my Linux server, or my recovery USB stick with shimx64.efi on it?

This is the area where the rollover bites hardest. Most major Linux distributions are in the process of re-signing their shim under the new 2023 CA, but the timing varies by distribution. Until your distribution ships a 2023-signed shim and you have updated to that release, a 2011-only Windows device that you also boot Linux on will continue to load Linux fine. Once the 2011 CA is DBX-revoked post-June, however, any Linux ISO or recovery USB whose shim is signed only under the old CA will refuse to load. The clean answer is: keep your Windows estate on the 2023 chain, keep your Linux distributions updated, and re-create any rescue USBs after July using a current ISO. Red Hat’s February 2026 RHEL guidance article (source 14) is the cleanest rollout document on the Linux side.

Does BitLocker re-prompt for the recovery key when the 2023 CAs are applied?

In normal cases, no. The certificate update writes to DB / KEK in the firmware, which is not part of the BitLocker measured-boot calculation by default. There are edge cases where some firmware vendors include certificate-store hashes in the measured-boot chain, in which case BitLocker can re-seal — you should always have the BitLocker recovery keys exported and accessible before any UEFI-side change. Microsoft’s own guidance and the OEM advisories from ASUS and Dell (sources 11 and 12) both reinforce that the recovery key should be readily available during the rollout window, but the expected behaviour is that BitLocker does not re-prompt.

Does this affect Macs, iPads, ChromeOS or anything else that is not Windows?

No. This is a Microsoft Secure Boot certificate rotation. Apple’s Secure Boot uses Apple-rooted certificates with Apple-managed lifecycles. ChromeOS uses Google-rooted Verified Boot. iPad and iPhone use the Apple Secure Enclave and have their own attestation chain. None of those are touched by this rollover. The only crossover case is a Mac running Windows under Boot Camp on Intel hardware — in that case the Windows-side Secure Boot lives under Microsoft’s chain and does need the 2023 CA update via Windows Update like any other Windows device. ARM Macs cannot run Windows natively in this way and are not affected.

Where do I see the Secure Boot certificate status without writing PowerShell?

After the April 2026 cumulative update, open the Windows Security app on the device. There is a new Secure Boot certificate status panel that reports whether the device is on the 2011 chain, the 2023 chain, or both. For estate-wide visibility, push the equivalent check via Intune compliance policy or via a PowerShell remoting loop that runs Get-UEFICertificate on every device. Microsoft also documents the user-facing status panel in the support article ‘Secure Boot certificate update status in the Windows Security app’ (source 2 in this article’s reference list), which is the link to send to non-technical staff if you want them to self-check before a remote rollout.

If a device fails to take the 2023 chain even after multiple reboots, what is the most common cause?

In our experience and in the Microsoft IT Pro guidance, the most common causes are firmware-side: an OEM that has not yet shipped an updated UEFI release that allows the new CAs into KEK, a device with a non-Microsoft custom KEK populated by a previous OEM imaging step, or a device whose Windows Update has been administratively suspended for too long and is missing the October 2025 or January 2026 baselines. The remediation order is: update firmware to the latest OEM release, confirm the device is current on cumulative updates, then re-run the scheduled task. The Richard M. Hicks consulting write-up (source 10) and the ASUS and Dell support articles (sources 11 and 12) cover the OEM-specific edge cases in detail.

Should we wait for the June Patch Tuesday and roll out then instead of 12 May?

No, and this is the single most important operational point in this article. The 9 June Patch Tuesday lands eleven days before the 19 June expiry. That window leaves zero time to handle exceptions, OEM firmware updates, BitLocker re-prompt edge cases, or any device that fails the rollout. The 12 May Patch Tuesday gives you a five-week buffer in which to identify exceptions, work with OEMs on firmware updates, and complete the rollout in a phased manner. The Help Net Security forecast labels 12 May the last comfortable window precisely because the June window does not have enough buffer for an estate of any meaningful size.

Where this leaves the UK SME conversation in May 2026

The Secure Boot 2023 rollover is the rare estate-level change that has all of the right properties for a clean managed rollout: it is calendar-driven rather than incident-driven, the deployment paths are well documented, the verification is mechanical, and the cost is engineering time rather than licence spend. The risk profile is asymmetric — doing it on time is uneventful, doing it late is an incident. The opportunity cost of a 12 May rollout is one Tuesday afternoon and one bundle of regular CU reboots. The opportunity cost of a 19 June rollout, even if it goes well, is having a meaningful percentage of your estate on the wrong side of the DBX revocation for some unbounded number of days while your team chases exceptions in the dark.

The Cyber Essentials v3.3 angle reinforces the calendar. A2.4 evidence is reviewed at renewal, and renewals happen on the anniversary of the original certificate. If your Cyber Essentials renewal falls in summer or autumn 2026, the assessor will look for evidence that the boot security posture was maintained continuously through the rollover — not just patched up the day before the assessment. That is a different evidence pack from a one-off remediation log, and it is much easier to produce if your rollout window was 12 May rather than 19 June minus three days.

Make 12 May Patch Tuesday the day Secure Boot 2023 lands cleanly across your estate

Our IT Support team handles the inventory, the pilot ring, the broad rollout aligned to Patch Tuesday, the exception register and the Cyber Essentials v3.3 A2.4 evidence pack. For organisations also working through their Cyber Essentials v3.3 control set, the same engagement can be packaged with our Cyber Essentials consulting work to update the wider control evidence at the same time.

Plan your Secure Boot 2023 rollout

Tags:IT SupportCyber SecurityMicrosoft 365

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.