Microsoft Secure Boot Certificates Expire June 26: The 75-Day Countdown Saudi Bank CISOs Cannot Ignore

On June 26, 2026 — 75 days from today — three Microsoft Secure Boot certificates that have underpinned the boot-time security of every Windows device since 2011 will begin to expire. For Saudi financial institutions running Windows Server infrastructure, this is not an automatic update. It is a manual intervention deadline, and missing it silently degrades the security posture of your most critical servers: core banking systems, SWIFT gateways, Active Directory domain controllers, and HSM management hosts.

What Is Expiring and Why It Matters

The three certificates at the center of this deadline are the Microsoft Corporation KEK CA 2011, the Microsoft Windows Production PCA 2011, and the Microsoft Corporation UEFI CA 2011. Together, these form the chain of trust that UEFI firmware uses during the pre-OS boot sequence to verify that the bootloader, Windows Boot Manager, and kernel modules have not been tampered with.

When these certificates expire, Windows devices that have not received the replacement 2023 CA certificates will lose the ability to receive future Secure Boot security updates. More critically, they will stop trusting third-party UEFI drivers and bootloaders signed with the new certificates — including updated BitLocker protections, anti-tamper mitigations, and revocation list updates designed to block known bootkit families such as BlackLotus, CosmicStrand, and MoonBounce.

In plain terms: an unpatched server after June 26 cannot receive new boot-level security protections. Any bootkit or UEFI implant that Microsoft discovers and revokes after that date will remain valid on your machines. The Secure Boot chain of trust — a foundational control in every modern endpoint hardening framework — becomes a frozen artifact rather than a living defense.

The Critical Difference: PCs vs. Windows Server

Microsoft began distributing the replacement 2023 Secure Boot CA certificates to Windows 10 and Windows 11 PCs through its Controlled Feature Rollout (CFR) mechanism, embedded in the standard monthly cumulative update process. For most managed corporate laptops and workstations that are current on patches, the transition happens largely invisibly.

Windows Server is different. Whether running Windows Server 2019, 2022, or 2025, the new Secure Boot certificates are not distributed automatically. IT teams must install the 2023 CA certificates manually — through Group Policy, a dedicated Windows Update catalog package, or a scripted deployment — before the June 2026 expiration window. Microsoft has published a dedicated playbook in its Windows Server Tech Community blog, and Dell has released a Secure Boot Transition FAQ with OEM-specific guidance, but the responsibility for scheduling and executing that deployment sits entirely with the enterprise.

For Saudi financial institutions where change management windows are tightly governed, where change advisory board (CAB) meetings require three to four weeks of advance notice, and where production server reboots on core banking systems are coordinated with vendor support teams, 75 days is not a long runway. Scheduling should begin this week.

Impact on Saudi Financial Institutions Under SAMA and NCA Frameworks

The SAMA Cyber Security Framework (CSCC) Domain 2.3 (Cybersecurity Risk Management) requires member organizations to maintain timely remediation of vulnerabilities and to ensure that security controls remain effective across their full asset inventory. An unpatched expiration of a root-of-trust certificate is precisely the category of deferred-maintenance risk that SAMA examiners scrutinize during onsite assessments — not because it constitutes an active breach, but because it represents a documented, publicly disclosed control gap that the organization chose not to address within the vendor's announced timeline.

Under NCA ECC Control 2-3-3 (Security Patches and Updates Management), critical and high-severity patches must be applied within defined SLA windows. While certificate renewals do not carry a traditional CVE score, the NCA's interpretation of "security-impacting updates" extends to configuration changes that preserve the integrity of security controls — which Secure Boot certificate updates clearly are.

There is also a PDPL dimension. Saudi organizations that use BitLocker for at-rest encryption of drives containing personal data — an increasingly common practice given PDPL's Article 19 obligations around data protection by design — rely on Secure Boot to enforce BitLocker's pre-boot integrity measurement policy. If Secure Boot's chain of trust degrades, BitLocker's hardened configuration mode (which ties drive encryption to PCR measurements) becomes less reliable. This is not theoretical; it is documented in Microsoft's own advisory language.

Practical Steps for Saudi Banks and Financial Institutions

1. Inventory all Windows Server instances immediately. Include physical hosts, VMs, Azure Stack HCI nodes, and any Windows Server running in hybrid cloud environments. Identify each server's current Secure Boot certificate status using Confirm-SecureBootUEFI and the Windows Security app's "Secure Boot certificate update status" screen introduced in recent cumulative updates.
2. Download the 2023 CA update package from the Microsoft Update Catalog. The relevant KB article references the replacement certificates for KEK, PCA, and UEFI CA. Validate the SHA-256 hash of the downloaded package before deployment.
3. Test in a staging environment that mirrors your production firmware configuration. UEFI firmware from different OEM vendors — Dell, HPE, Lenovo, Cisco UCS — implements Secure Boot differently. A certificate update that applies cleanly on one hardware generation may require a firmware update prerequisite on another.
4. Raise a change request with your CAB this week. Target a production deployment window no later than June 1, 2026, leaving three weeks of buffer before the deadline. Server reboots will be required to complete certificate enrollment.
5. Coordinate with core banking and SWIFT vendors. If your core banking application, SWIFT Alliance Access, or HSM management software interacts with the UEFI layer or relies on measured boot attestation, notify your vendor before the update and confirm compatibility with the new certificate chain.
6. Update your vulnerability management register and ISMS documentation. Record this activity as a planned security control maintenance action, referencing Microsoft's advisory and your SAMA CSCC control mapping. This documentation protects you during regulatory examinations.

Older Devices: A Harder Problem

Not every device in a financial institution's inventory will support the certificate update. Servers or workstations with outdated OEM firmware — particularly older Dell PowerEdge, HPE ProLiant, or IBM systems no longer receiving firmware support — may be unable to enroll the new 2023 CA certificates even after the Windows-level update is applied. For these machines, the realistic path is hardware refresh before June 2026 or network segmentation that limits their exposure post-expiration. Document each exception formally in your risk register with compensating controls clearly stated.

Conclusion

The June 26 Secure Boot certificate deadline is not a zero-day. It is a scheduled transition with 75 days of notice, clear vendor guidance, and a well-understood remediation path. For Saudi financial institutions, acting now means protecting the boot-time integrity of your most sensitive servers, preserving SAMA CSCC and NCA ECC compliance posture, and ensuring BitLocker-backed PDPL data protection remains robust. Waiting until June means emergency change requests, compressed testing windows, and the real possibility of missing the deadline entirely on servers that require OEM firmware updates as a prerequisite.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment. Our team can help you inventory your Secure Boot status, map remediation tasks to your existing CSCC control framework, and coordinate your patch deployment timeline to meet the June 26 deadline without disrupting critical financial operations.