Navigating the Microsoft UEFI Certificate Transition for Encrypted Devices

By Liberty Williams · May 14, 2026

For over a decade, the 2011 Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) has served as the bedrock of trust for the boot process on millions of devices. However, this era is coming to an end.

Microsoft’s 2011 certificates, which are still in frequent use, are scheduled to expire in late June 2026. For technology leaders, this is a critical infrastructure milestone. If your organization relies on full disk encryption, understanding and acting on this transition is essential to preventing widespread potential outages when the expired certificates are no longer trusted.

The risks of inaction

The UEFI CA is responsible for validating the boot process. As Microsoft transitions to the new 2023 UEFI CA standard, failure to align your encrypted endpoints with this change carries significant risks:

• System boot failures: Devices that still rely on the 2011 certificate after the trust is revoked will fail to boot.
• Loss of security fixes: Systems without the 2023 certificate will be unable to receive future Secure Boot updates and security fixes.
• New hardware incompatibility: Newer hardware may ship without the 2011 certificates entirely, making it necessary to ensure your full disk encryption products are compatible with the newest certificate to secure your devices.

Keep in mind that while an expired UEFI certificate is a routine retirement that won't disrupt your system boot on its own, a revoked certificate will cause an immediate boot failure. Thankfully, no revocations are happening right now. Revocation is typically triggered when the security of a certificate has been compromised.

Since it is unclear exactly when Microsoft and Windows hardware vendors might begin revoking the expired certificates, organizations can take steps now to ensure that they are prepared to meet the new standards and continue to receive vital security updates.

Trellix’s proactive solution: Drive Encryption 8.1.1

To address this industry-wide shift, Trellix has released Trellix Drive Encryption (TDE) 8.1.1. Which is now available on-premises and SaaS.

TDE 8.1.1 offers critical updates to protect your environment and ensure your successful upgrade to 2023 CA. This includes built-in safety checks that will intentionally abort installation if the required UEFI CA 2023 certificates are not detected in the Secure Boot database, and a rollback process via our management platform, Trellix ePO, in the event of a failure. Notably, this change applies only to UEFI Secure Boot. Systems running in Legacy BIOS mode are unaffected.

Important action is needed

While Microsoft manages updates for many consumer devices, enterprise leaders cannot rely solely on automatic updates, especially for organizations that manage their own device updates. We recommend that organizations undertake the following steps as soon as possible.

1. Inventory your devices: Trellix offers a custom tool that you can deploy across on-premises systems to gather information on which certificates are trusted, the Trellix ePO Endpoint Deployment Kit (EEDK). Or you can use Microsoft’s sample scripts to identify which certificates are currently on your endpoints.
2. Update firmware: Apply the latest firmware updates from the hardware vendor to ensure that Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 are present.
3. Upgrade TDE: Move to version 8.1.1 or later as soon as possible. While devices with expired certificates are expected to continue booting for now, we don’t know when that might change or how soon those devices might need important security updates.

Accelerate your deployment with Trellix expert professionals

Many technology teams are already overburdened by day-to-day activities. Managing firmware updates and certificate migrations across a global fleet is a complex task that leaves little room for error. And with a hard deadline looming for this important upgrade, teams may face resource constraints that could hinder their ability to complete this upgrade on time.

Trellix Professional Services is ready to assist. Our experts can guide your organization through the assessment and deployment phases of the upgrade, supporting the transition. By leveraging our services, you can reduce the risk of system failures and ensure your team stays focused on higher-priority initiatives.

Don't wait until June 2026. If you are a Trellix Drive Encryption customer, begin the upgrade process ASAP. Take a look at our Knowledge Base article to make the necessary certificate updates and upgrade your encryption protection. And be sure to contact your account team if you want to engage a Trellix Professional Services expert to guide your implementation.