Windows Secure Boot certificates from 2011 expire in June 2026 — here's what to do

At a glance:

• Microsoft-issued Secure Boot certificates from 2011 are set to expire in June 2026, affecting PCs built since 2011; 2023 replacements are rolling out now.
• Most users will receive updated certificates automatically via Windows Update or a firmware push from their OEM (Lenovo, HP, Dell, ASUS, Surface), but DIY PC builders should check with their motherboard maker.
• You can verify your status in the Windows Security app or via a PowerShell command; Copilot+ PCs built in 2025 or later already include the 2023 certificates.

What is expiring and why it matters

Every Windows PC designed and built since 2011 supports a feature called Secure Boot. This feature, which is on by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper that allows only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt. Secure Boot relies on a chain of cryptographic certificates that verify each boot component's signature. One of the most important certificates is the Key Exchange Key (KEK), which sits in the UEFI firmware and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are also essential to the operation of Secure Boot and need to be updated periodically.

The problem is that PCs bought in the last 15 years almost certainly contain Microsoft-issued KEK and UEFI CA certificates from 2011. Those certificates are slated to expire in June 2026. When they do, they are no longer permitted to validate boot software. Your computer will still start and operate normally, but it will no longer be able to receive updates to Windows Boot Manager, Secure Boot databases and revocation lists, and fixes for newly discovered vulnerabilities in the boot chain. Microsoft points out that scenarios that rely on Secure Boot trust — such as BitLocker hardening, boot-level code integrity, or third-party bootloaders and Option ROMs — may also be affected if they require updated Secure Boot trust.

In 2023, Microsoft issued replacements for those Secure Boot certificates. But the whole point of the Secure Boot certificate model is that those certificates are not easy to replace — if they were, every malware developer in the world would be focusing energy on doing exactly that, creating malicious rootkits that run at startup and can't be detected easily. To prepare for this transition, Microsoft and its hardware partners have been working for several years, coordinating a global series of updates designed to replace those outdated certificates with the 2023 version.

How to check whether your PC needs an update

Microsoft has made it straightforward to see whether your machine already has the updated certificates. A recent Windows 11 update allows you to look in the Windows Security app. Choose the Device Security page and look under the "Secure boot" heading. If you see a message that says "all required certificates have been applied," you're good to go.

You can also use PowerShell to check whether your PC has the updated certificates. Open a PowerShell window using administrator credentials and then copy the following command and paste it at the PowerShell command line:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If the response is True, you're up to date. If the response is False, you need a firmware update.

According to Microsoft, if your PC was designed and built by a major OEM — Lenovo, HP, Dell, ASUS, Surface — and you are running a supported Windows version, you should receive the necessary update automatically. "For most individuals and businesses that allow Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, with no additional action required," Microsoft says. Those updates will arrive on almost all PCs running Windows 11 and on PCs running Windows 10 with an Extended Security Updates subscription. You might need a separate firmware update from the PC maker to allow the updated certificates to install.

What OEMs are doing and where to track progress

Microsoft has documented ecosystem progress in a new blog post. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025 already include the certificates and require no action from customers. OEM partners have also worked closely with Microsoft's engineering teams to ensure that in-market devices can apply the updates seamlessly and have provided their own guidance to help customers prepare for the transition.

Each OEM has a status page where you can check for updated information:

• Dell: Secure Boot Transition FAQ
• HP: Prepare for new Windows Secure Boot certificates
• Lenovo: Secure Boot Certificate Expiration Guide (2011 to 2023)
• ASUS (PCs): Windows Secure Boot certificate expiration and certificate updates
• ASUS (motherboards): Windows Secure Boot certificate expiration and certificate updates
• Microsoft Surface: Surface Secure Boot Certificates

A number of these manufacturers have been shipping PCs with both sets of certificates for some time, allowing enterprise customers to choose when to switch to the new certificates. For specialized computers, such as servers and IoT devices, you might need to download and install an update directly from the device maker.

What happens if you don't update

According to Microsoft, "When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components, compromising Windows boot security.... Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security."

If you don't update and the old certificates expire, you can turn off Secure Boot, but doing so means you won't be able to access disks that are encrypted using BitLocker without supplying the recovery key. Microsoft recommends checking the official Microsoft FAQ page for more details. If you run into issues on an unmanaged PC in a home or small office, check with the PC maker or contact Microsoft for support. Enterprise administrators can use commercial support channels.

Mac and Linux users

If you have a Mac, you don't need to worry about this — Apple manages its own Secure Boot chain independently. If you have a PC running Linux, the situation depends on your setup. If you're dual-booting Linux with Windows, Microsoft says it will update the certificates that Linux relies on. If you've wiped Windows completely, you might not get the latest security updates automatically. You can contact the company that built your PC to see if there's a manual update, or you can turn Secure Boot off. Aside from seeing a scary red padlock on the boot screen, everything else will work as expected.

All currently supported versions of Windows support Secure Boot, as do an increasing number of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a host of others.

DIY PC builders and what to watch next

If you built your own PC, the path to updated certificates is less automatic. Talk to the manufacturer of your motherboard. There might be an update, but depending on your PC's age, the motherboard manufacturer might not offer one. You can turn off Secure Boot, and Windows will still start up. If BitLocker is enabled, you might need to provide the recovery key to access the data on that disk.

The 2023 certificates have expiration dates 15 years later, in 2038. The one exception is the Windows UEFI CA 2023, which will expire in June 2035. That means we'll have to go through this dance again in less than a decade. For now, the priority is making sure your machine receives the 2023 certificates before the June 2026 deadline. Microsoft has said that the firmware updates pushing the certificate expiration dates out by another decade or more should be unobtrusive for most users — you might already have installed the necessary updates without realizing it.

Copilot+ PCs built in 2025 or later already include the 2023 certificates and don't need an update. Last year's end-of-support deadline for Windows 10 was a big test for consumers and IT pros alike, and everyone passed. The June 2026 certificate expiration is the next item on the calendar — and, as with the Windows 10 transition, the best approach is to check your status now and let the update process do its work.