Some Secure Boot certificates used on Windows devices begin to expire as of June 2026. Microsoft is replacing old certificates used since 2011 with new certificates dated 2023.

The update process is automatic for most users via Windows Update. However, additional processes may be required for old systems, corporate devices, servers and virtual machines.

Secure Boot acts as a security layer that allows only trusted software and components to run at computer startup. The system verifies early boot components such as bootloader and driver with digital certificates stored in the UEFI firmware.

Why are certificates renewed?

Certificates dated 2011, which have been used in the Microsoft ecosystem for a long time, are now approaching the end of their useful life. Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 certifications expire in June 2026, and the Microsoft Windows Production PCA 2011 certification expires in October 2026.

These certificates play different roles in the Secure Boot chain. The KEK side is used to sign DB and DBX updates, while the DB side certificates come into play for the Windows bootloader, third-party components, and EFI applications.

This change does not mean that computers will not suddenly turn on in June 2026. Microsoft states that devices that have not been updated will continue to operate normally for a while.

However, devices that do not receive new certificates remain unprotected against new vulnerabilities to Windows Boot Manager and Secure Boot databases over time. This makes devices more vulnerable to attacks, especially those that come into play before the operating system starts.

Microsoft is gradually distributing the new 2023 certificates to supported Windows systems via Windows Update. Many Windows computers produced since 2024 come with these new certificates.

On other devices, the process continues with Windows monthly updates and BIOS/UEFI firmware updates from manufacturers. In some systems, it is necessary to first install the device manufacturer’s firmware update in order for the new certificates to be applied smoothly.

Control process for users

Home users need to make sure Windows Update is turned on and updates are not paused. On supported Windows 10 and Windows 11 systems, 2023 certificates reach users through regular channels.

Since general support for Windows 10 ends on October 14, 2025, it is important for users who want to continue receiving security updates to participate in the Extended Security Updates program. Users can check the Secure Boot status through the Windows Security application.

In the Device security section within the application, a green sign indicates that the device is protected. However, just a green sign is not enough; text indicating that certificate updates have been applied must also appear on the screen.

As a second method, you can access the System Information screen by pressing Windows + R keys and typing msinfo32. Here, the feature must be turned on in the Secure Boot State line.

Microsoft recommends not turning off Secure Boot if it is turned on, as this setting may cause updated certificates to be reset on some systems. On the corporate side, IT managers are recommended to keep track of inventory and manage the process with pilot deployments.

During the update process, rare situations such as the system not starting or the BitLocker recovery screen appearing may occur. Therefore, it is necessary to ensure that BitLocker recovery keys are accessible, especially on corporate devices.

Have you checked the Secure Boot status of your computer?