Microsoft Secure Boot Certificate Transition and Cigent FDE/PBA

Overview

Microsoft and hardware manufacturers are transitioning UEFI Secure Boot from the original Microsoft 2011 Secure Boot certificates to newer Microsoft 2023 Secure Boot certificates. The original Microsoft 2011 certificates begin expiring in June 2026.

The Microsoft 2011 Secure Boot certificate expiration will not cause existing systems to stop booting. According to Microsoft, systems that still rely on the 2011 certificate path will continue to start and operate normally, and standard Windows updates should continue to install.

The primary impact is security-related. Systems that do not transition to the 2023 Secure Boot certificate path may eventually be unable to receive newer early-boot security protections, including future Windows Boot Manager, Secure Boot database, revocation-list, and boot-chain vulnerability updates.

This article explains the expected impact for customers using Cigent FDE or Cigent PBA.

Impact to Cigent FDE

Cigent FDE is prepared for the Microsoft Secure Boot certificate transition beginning with Cigent FDE version 1.2.1.16.

The Cigent FDE installation package includes Microsoft-signed EFI binaries for supported Secure Boot certificate environments. During installation, Cigent FDE checks the system’s UEFI Secure Boot database and deploys the appropriate signed binary based on the certificates available on the system.

• If the system includes the Microsoft UEFI CA 2023 certificate, Cigent FDE deploys the 2023-signed EFI binary.

• If the system only supports the older Microsoft Corporation UEFI CA 2011 certificate path, Cigent FDE uses the supported 2011-signed binary.

The primary Cigent FDE consideration is future install and upgrade compatibility on older systems. Existing Cigent FDE deployments are not expected to be disrupted by the Microsoft Secure Boot certificate transition. However, customers should review Cigent release notes or contact Cigent Support before installing or upgrading FDE on systems that only support the Microsoft 2011 Secure Boot certificate path.

Impact to Cigent PBA

Cigent PBA runs on Ubuntu 24.04 and currently relies on a Secure Boot shim signed through the Microsoft 2011 certificate path.

Existing Cigent PBA deployments should continue booting and operating normally after the Microsoft 2011 Secure Boot certificate expiration date.

Cigent is monitoring updated third-party Secure Boot component support for the Microsoft 2023 certificate path and will provide additional guidance as vendor support becomes available.

Recommended Customer Actions

Customers do not need to take action solely to keep existing Cigent FDE or Cigent PBA systems booting because of the Microsoft 2011 Secure Boot certificate expiration.

Customers should:

1. Keep Windows systems current with supported Windows updates.

2. Review OEM firmware, BIOS, or UEFI updates as part of normal system maintenance, especially for older systems.

3. For future Cigent FDE installs or upgrades, confirm whether the target systems support the Microsoft UEFI CA 2023 certificate or only the older Microsoft Corporation UEFI CA 2011 certificate path.

4. Review Cigent release notes or contact Cigent Support before installing or upgrading Cigent FDE on systems that only support the 2011 certificate path.

5. Continue applying supported updates for Cigent PBA systems and follow future Cigent guidance as updated third-party Secure Boot components become available.

External Resources

For Microsoft and OEM-specific deployment, monitoring, and troubleshooting guidance, customers should refer to:

• Microsoft Secure Boot Certificate Updates: Guidance for IT Professionals and Organizations

• Microsoft FAQ: Frequently Asked Questions About the Secure Boot Update Process

• Microsoft Secure Boot Certificate Update Status in the Windows Security App

• Dell Secure Boot Transition FAQ for Dell hardware environments

Customers using non-Dell hardware should consult their device manufacturer’s equivalent Secure Boot transition guidance.

FAQ

Will my Cigent-protected system stop booting when the Microsoft 2011 Secure Boot certificates expire?

No. The Microsoft 2011 Secure Boot certificate expiration, by itself, does not cause existing systems to stop booting.

Customers should still transition to the 2023 Secure Boot certificate path where supported, because systems that remain on the older certificate path may eventually lose access to newer early-boot security protections.

Do I need to update Cigent FDE immediately?

Customers should ensure managed FDE systems are running Cigent FDE version 1.2.1.16 or later for Secure Boot certificate transition readiness.

Before upgrading Secure Boot-enabled systems that only support the 2011 certificate path, customers should review Cigent release notes or contact Cigent Support.

Does this affect Cigent PBA?

Existing Cigent PBA deployments will continue booting and operating normally. Cigent is tracking updated third-party Secure Boot component support for the Microsoft 2023 certificate path and will provide additional guidance when available.