Critical Update Alert: Microsoft’s Original Secure Boot Certificates Are Expiring Soon – Here’s How to Protect Your PC
In June 2026, the original UEFI Secure Boot certificates that have protected Windows PCs since 2011 will expire. If your computer does not receive the new Windows UEFI CA 2023 certificates before the deadline, you risk entering a “degraded security state” that could block future Windows updates, prevent installation of newer operating systems, and leave your system vulnerable to boot-level attacks.
Microsoft has confirmed that while existing Windows installations will continue to run normally after the expiration, affected PCs will no longer receive critical boot-level security patches. Over time, this could cause compatibility problems with upcoming Windows versions, new hardware, and Secure Boot-dependent software.
This is not a hypothetical risk—Microsoft, Dell, HP, Lenovo, and other major OEMs have been preparing for this transition for years. Many newer PCs already ship with the updated certificates, but millions of older Windows 10 and Windows 11 devices still rely on the 2011 certificates.
Why the Secure Boot Certificate Expiration Matters in 2026
Secure Boot, introduced with Windows 8, ensures that only trusted, signed bootloaders and operating systems can load during startup. This prevents rootkits and malicious firmware from compromising the system before Windows even starts.
The original Microsoft Windows Production PCA 2011 and Microsoft UEFI CA 2011 certificates were issued over a decade ago. Like all digital certificates, they have an expiration date. Once expired:
New boot-level vulnerabilities cannot be patched on affected systems
Future Windows versions may refuse to install
Third-party Secure Boot-dependent software (e.g., some Linux distributions, virtualization tools) may fail to load
Microsoft emphasizes that the goal of this refresh is to maintain long-term security and compatibility across the Windows ecosystem.
How to Check If Your PC Has the New Windows UEFI CA 2023 Certificates
You can quickly verify your current status using built-in Windows PowerShell commands. Follow these steps:
Check the active certificate database (currently used for booting):
Open PowerShell or Windows Terminal as Administrator
Run this command:text([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If it returns True → You already have the updated certificates. You’re safe.
If it returns False → Your PC is still using the 2011 certificates and needs the update.
Check the default firmware database (built into BIOS/UEFI):
Run this command:text([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
True means the new certificates are permanently embedded in your firmware (common on 2024–2025 PCs).
False is normal for older systems but means you rely on Windows Update to maintain the certificates.
Confirm Secure Boot is enabled:
Press Windows + R → type msinfo32 → Enter
Look for “Secure Boot State” → it should say On
How to Get the New Secure Boot Certificates Before June 2026
For most users, Windows Update will automatically deliver the new certificates—if your system meets these conditions:
Running a supported Windows version:
Windows 11 24H2 or 25H2
Windows 10 enrolled in Extended Security Updates (ESU) – consumers can enroll for free via Microsoft’s registry-based method
Secure Boot enabled and functioning
Sufficient free NVRAM space in UEFI firmware
Additional steps if the update hasn’t arrived yet:
Install the latest BIOS/UEFI firmware update from your manufacturer:
Dell, HP, Lenovo, ASUS, and Microsoft Surface devices from 2019 onward generally have updates available
Check your manufacturer’s support site for “Secure Boot 2023 certificate” or “UEFI CA 2023” updates
For older PCs (especially original Windows 8/10 era):
Enter BIOS/UEFI setup and reset Secure Boot keys to factory defaults (this clears space in NVRAM)
Important: If BitLocker is enabled, have your recovery key ready before resetting keys
Force Windows Update to check for pending updates
Microsoft states that nearly all PCs shipped in 2025 and most 2024 models already include the new certificates out of the box. If you bought a Windows 11 PC in the last two years, you are likely already protected.
Who Needs to Act Immediately?
Owners of Windows 10 PCs not enrolled in ESU
Users with older hardware (pre-2020) that no longer receives firmware updates
Custom-built PCs or systems with third-party motherboards
If you cannot update the certificates, contact Microsoft Support for assistance. Large organizations should review Microsoft’s enterprise deployment guidance.
Final Word: Don’t Wait Until June 2026
This certificate refresh is a routine but essential security maintenance task for the entire Windows ecosystem. Acting now ensures your PC remains fully secure, updatable, and compatible with future Windows releases.
Run the PowerShell checks today. Update your BIOS if needed. Stay ahead of the June 2026 Secure Boot certificate expiration deadline—your system’s long-term security depends on it.
Keywords: Windows Secure Boot certificates expire 2026, Windows UEFI CA 2023 update, check Secure Boot certificates PowerShell, Secure Boot expiration fix, Microsoft Secure Boot 2026 deadline, update Secure Boot keys Windows 11
Top comments (0)