Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Secure Boot protects modern Windows and Linux PCs.
• Microsoft Secure Boot certificates from 2011 expire in June 2026.
• Most PC owners are fine if they install the latest updates.

Last year’s end-of-support deadline for Windows 10 was a big test for consumers and IT pros alike. The good news is, everyone passed! The bad news is, there’s another crucial expiration date right around the corner.

Every Windows PC designed and built since 2011 supports a feature called Secure Boot. This feature, which is on by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper that allows only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt.

Also: How to upgrade your ‘incompatible’ Windows 10 PC to Windows 11 – for free

All currently supported versions of Windows support Secure Boot, as do an increasing number of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a host of others.

What’s happening to Secure Boot certificates?

Secure Boot relies on a chain of cryptographic certificates that verify each boot component’s signature. One of the most important certificates is the Key Exchange Key (KEK), which sits in the UEFI firmware and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). 

The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are also essential to the operation of Secure Boot and also need to be updated.

If you bought a PC in the last 15 years, it almost certainly contains Microsoft-issued KEK and UEFI CA certificates from 2011, which are slated to expire in June 2026. To update those certificates, you need access to the root of trust — the Platform Key, which is managed by the hardware OEM.

Also: After setting up Windows 11, these 9 steps are non-negotiable for me

When the Secure Boot certificates expire, they are no longer permitted to validate boot software. Your computer will still start and operate normally, but it will no longer be able to receive updates to Windows Boot Manager, Secure Boot databases and revocation lists, and fixes for newly discovered vulnerabilities in the boot chain. 

You can turn off Secure Boot, but doing so means you won’t be able to access disks that are encrypted using BitLocker without supplying the recovery key.

Microsoft points out that scenarios that rely on Secure Boot trust (such as BitLocker hardening, boot-level code integrity, or third-party bootloaders and Option ROMs) may also be affected if they require updated Secure Boot trust.

In 2023, Microsoft issued replacements for those Secure Boot certificates. But the whole point of the Secure Boot certificate model is that those certificates are not easy to replace — if they were, every malware developer in the world would be focusing energy on doing exactly that, creating malicious rootkits that run at startup and can’t be detected easily.

To prepare for this mass extinction event, Microsoft and its hardware partners have been working for several years, coordinating a global series of updates designed to replace those outdated certificates with the 2023 version. Microsoft has documented progress in a new blog post:

Our ecosystem partners play a critical role in the transition to the new Secure Boot certificates. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025 already include the certificates and require no action from customers. OEM partners have also worked closely with our engineering teams to ensure that in-market devices can apply the updates seamlessly and have provided their own guidance to help customers prepare for the transition. As a result of that concerted effort, you might soon see a firmware update that will bring your computer’s security core into the modern era, pushing the certificate expiration dates out by another decade or more.

For most people, this process should be unobtrusive. You might already have installed the necessary updates without realizing it.

For this post, I’ve assembled a list of frequently asked questions, along with authoritative answers.

Why are these certificates expiring?

Fifteen years is a long time! Security standards advance dramatically every year, and it’s normal to retire old certificates and replace them with newly issued certificates that meet modern security standards instead of becoming a point of vulnerability.

Does my PC have expiring Secure Boot certificates?

If your computer was designed and built after 2011, it includes Secure Boot certificates. Any device that was designed and built before 2024 probably has a 2011 certificate, which is about to expire.

According to Microsoft, its OEM partners have been provisioning updated certificates on new devices since 2024. If you have a relatively new device, it probably already includes the latest certificates. Copilot+ PCs built in 2025 or later already include the 2023 certificates and don’t need an update.

Also: My top six Windows 12 predictions – including its most likely release date

A recent Windows 11 update allows you to look in the Windows Security app to check the status of your security certificates. Choose the Device Security page and look under the “Secure boot” heading. If you see a message that says “all required certificates have been applied,” you’re good to go.

You can also use PowerShell to check whether your PC has the updated certificates. Open a PowerShell window using administrator credentials and then copy the following command and paste it at the PowerShell command line:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)

If the response is True, you’re up to date. If the response is False, you need a firmware update.

Will I get an updated certificate automatically?

If your PC was designed and built by a major OEM (Lenovo, HP, Dell, ASUS, Surface), and you are running a supported Windows version, you should receive the necessary update automatically. 

According to Microsoft, “For most individuals and businesses that allow Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, with no additional action required.” 

Also: Yes, you can get Microsoft 365 free – here’s how

Those updates will arrive on almost all PCs running Windows 11 and on PCs running Windows 10 with an Extended Security Updates subscription. You might need a separate firmware update from the PC maker to allow the updated certificates to install.

Each OEM has a status page where you can check for updated information.

A number of these manufacturers have been shipping PCs with both sets of certificates for some time, allowing enterprise customers to choose when to switch to the new certificates. 

For specialized computers, such as servers and IoT devices, you might need to download and install an update from the device maker.

What happens if I don’t update those certificates?

According to Microsoft, “When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components, compromising Windows boot security…. Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security.”

I have a Mac. Do I need to worry about this?

No.

I have a PC running Linux. Do I need to worry about this?

If you’re dual-booting Linux with Windows, Microsoft says it will update the certificates that Linux relies on.

If you’ve wiped Windows completely, you might not get the latest security updates automatically. You can contact the company that built your PC to see if there’s a manual update, or you can turn Secure Boot off. Aside from seeing a scary red padlock on the boot screen, everything else will work as expected.

I built my own PC. Where are my updates?

Talk to the manufacturer of your motherboard. There might be an update, but depending on your PC’s age, the motherboard manufacturer might not offer one. You can turn off Secure Boot, and Windows will still start up. If BitLocker is enabled, you might need to provide the recovery key to access the data on that disk.

Also: How to find your BitLocker recovery key – and save a secure backup copy before it’s too late

When will the new certificates expire?

The 2023 certificates have expiration dates 15 years later, in 2038. The one exception is the Windows UEFI CA 2023, which will expire in June 2035. That means we’ll have to go through this dance again in less than a decade.

Where can I get more information or help?

The official Microsoft FAQ page is here: Secure Boot Certificate Update FAQ. If you run into issues on an unmanaged PC in a home or small office, check with the PC maker or contact Microsoft for support. Enterprise administrators can use commercial support channels.