Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Secure Boot protects modern Windows and Linux PCs.
- Microsoft Secure Boot certificates from 2011 expire in June and October 2026.
- Most PC owners are fine if they install the latest updates.
Last year’s end-of-support deadline for Windows 10 was a big test for consumers and IT pros alike. Congratulations — everyone passed! Before you start celebrating, though, pay attention to another crucial expiration date that’s arriving this week. Four crucial Microsoft security certificates are expiring, with the first one expiring today, June 24, 2026.
Microsoft has been refreshingly transparent about what it’s doing to replace these old certificates, with guidance for both consumers and enterprise customers. It also added an easy way for anyone to check the status of the certificates, using the built-in Windows Security utility. (More details on that later in this post.) Oh, and now might be a really good time to make sure you have saved a copy of your BitLocker recovery key, just in case.
This deadline is a little more complicated than the Windows 10 end-of-support date. To understand why, we need to talk about a core security feature found in every Windows PC designed and built since 2011: Secure Boot. This feature, enabled by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper, allowing only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt.
Also: How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11 – for free
All currently supported versions of Windows support Secure Boot, as do an increasing number of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a host of others.
What’s happening to Secure Boot certificates?
Secure Boot relies on a chain of cryptographic certificates that verify each boot component’s signature. One of the most important certificates is the Key Enrollment Key (KEK), which is also sometimes called the Key Exchange Key. It sits in the UEFI firmware on every modern PC and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX).
The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are also essential to the operation of Secure Boot and also need to be updated.
Also: Microsoft is finally bringing the movable taskbar to Windows 11 – here’s who can try it now
If you bought a PC in the last 15 years, it almost certainly contains Microsoft-issued KEK and UEFI CA certificates from 2011, which are slated to expire in June 2026. To update those certificates, you need access to the root of trust — the Platform Key, which is managed by the hardware OEM.
|
*Microsoft Corporation KEK CA 2011 |
June 24, 2026 |
Microsoft Corporation KEK 2K CA 2023 |
Signs updates to the Secure Boot Signature Database and Revoked Signature Database |
|
Microsoft Windows Production PCA 2011 |
October 19, 2026 |
Windows UEFI CA 2023 |
Signs the Windows boot loader |
|
Microsoft UEFI CA 2011* |
June 27, 2026 |
Microsoft UEFI CA 2023 |
Signs third-party boot loaders and EFI applications |
|
Microsoft UEFI CA 2011* |
June 27, 2026 |
Microsoft Option ROM UEFI CA 2023 |
Signs third-party option ROMs |
Table adapted from Windows Secure Boot certificate expiration and CA updates (Microsoft Support)
* Note: Microsoft UEFI CA 2011 was replaced with two signatures, to allow organizations to trust third-party option ROMs without having to also trust third-party boot loaders.
When the Secure Boot certificates expire, they are no longer permitted to validate boot software. That is not as dire as it sounds. Your computer will still start and operate normally, but it will no longer be able to receive updates to Windows Boot Manager, Secure Boot databases and revocation lists, and fixes for newly discovered vulnerabilities in the boot chain.
You can turn off Secure Boot, but doing so means you might not be able to access disks that are encrypted using BitLocker without supplying the recovery key.
Microsoft points out that scenarios that rely on Secure Boot trust (such as BitLocker hardening, boot-level code integrity, or third-party bootloaders and Option ROMs) may also be affected if they require updated Secure Boot trust.
In 2023, Microsoft issued replacements for those Secure Boot certificates. But the whole point of the Secure Boot certificate model is that those certificates are not easy to replace — if they were, every malware developer in the world would be focusing energy on doing exactly that, creating malicious rootkits that run at startup and can’t be detected easily.
Also: Microsoft patches record 198 Windows bugs in June update – and 3 are zero days
To prepare for this mass extinction event, Microsoft and its hardware partners have been working for several years, coordinating a global series of updates designed to replace those outdated certificates with the 2023 version. Microsoft has been publishing guidance for customers for more than a year, starting in early 2025, and documented its progress in a blog post earlier this year:
Our ecosystem partners play a critical role in the transition to the new Secure Boot certificates. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025 already include the certificates and require no action from customers. OEM partners have also worked closely with our engineering teams to ensure that in-market devices can apply the updates seamlessly and have provided their own guidance to help customers prepare for the transition. As a result of that concerted effort, you might soon see a firmware update that will bring your computer’s security core into the modern era, pushing the certificate expiration dates out by another decade or more.
For most people, this process should be unobtrusive. You might already have installed the necessary updates without realizing it. Enterprise administrators have a wide range of tools for monitoring and deploying these updates, all of which are documented in the Secure Boot Playbook.for Windows Client.
For this post, I’ve assembled a list of frequently asked questions, along with authoritative answers.
Why are these certificates expiring?
Fifteen years is a long time! Security standards advance dramatically every year, and it’s normal to retire old certificates and replace them with newly issued certificates that meet modern security standards instead of becoming a point of vulnerability.
Does my PC have expiring Secure Boot certificates?
If your computer was designed and built after 2011, it includes Secure Boot certificates. Any device that was designed and built between 2012 and 2024 shipped with 2011 certificates, which expire in 2026 and must be replaced.
According to Microsoft, its OEM partners have been provisioning updated certificates on new devices since 2024. If you have a relatively new device, it probably already includes the latest certificates. Copilot+ PCs built in 2025 or later already include the 2023 certificates and don’t need an update.
Also: How to troubleshoot your PC problems with Copilot or ChatGPT – effectively
A recent Windows 11 update lets you check the status of your security certificates in the Windows Security app. Choose the Device Security page and look under the “Secure boot” heading. If you see a message that says “all required certificates have been applied,” you’re good to go.
You can now use the Windows Security app to check the status of Secure Boot certificates.
Screenshot by Ed Bott/ZDNET
You can also use PowerShell to check whether your PC has the updated certificates. Open a PowerShell window using administrator credentials and then copy the following command and paste it at the PowerShell command line:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)
If the response is True, you’re up to date. If the response is False, you need a firmware update.
Will I automatically get an updated certificate?
If your PC was designed and built by a major OEM (Lenovo, HP, Dell, ASUS, Surface), and you are running a supported Windows version, you should receive the necessary update automatically.
According to Microsoft, “For most individuals and businesses that allow Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, with no additional action required.”
Also: Yes, you can get Microsoft 365 free – here’s how
Those updates will arrive on almost all PCs running Windows 11 and on PCs running Windows 10 with an Extended Security Updates subscription. You might need a separate firmware update from the PC maker to allow the updated certificates to install.
Each OEM has a status page where you can check for updated information.
A number of these manufacturers have been shipping PCs with both sets of certificates for some time, allowing enterprise customers to choose when to switch to the new certificates.
For specialized computers, such as servers and IoT devices, you might need to download and install an update from the device maker.
What happens if I don’t update those certificates?
According to Microsoft, “When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components, compromising Windows boot security…. Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security.”
I have a Mac. Do I need to worry about this?
No.
I have a PC running Linux. Do I need to worry about this?
If you’re dual-booting Linux with Windows, Microsoft says it will update the certificates that Linux relies on.
If you’ve wiped Windows completely, you might not get the latest security updates automatically. You can contact the company that built your PC to see if there’s a manual update, or you can turn Secure Boot off. Aside from seeing a scary red padlock on the boot screen, everything else will work as expected.
I built my own PC. Where are my updates?
Talk to the manufacturer of your motherboard. There might be an update, but depending on your PC’s age, the motherboard manufacturer might not offer one. You can turn off Secure Boot, and Windows will still start up. If BitLocker is enabled, you might need to provide the recovery key to access the data on that disk.
Also: How to find your BitLocker recovery key – and save a secure backup copy before it’s too late
When will the new certificates expire?
The 2023 certificates have expiration dates 15 years later, in 2038. The one exception is the Windows UEFI CA 2023, which will expire in June 2035. That means we’ll have to go through this dance again in less than a decade.
Where can I get more information or help?
The official Microsoft FAQ page is here: Secure Boot Certificate Update FAQ. If you run into issues on an unmanaged PC in a home or small office, check with the PC maker or contact Microsoft for support. Enterprise administrators can use commercial support channels.
