Secure Boot Certificate Expiration: What You Need to Know

Microsoft has rolled out the Secure Boot 2023 certificate update to all eligible Windows 11 and Windows 10 PCs just hours before the initial expiration deadline on June 24, 2026. According to a statement from Microsoft, “With this update, Windows quality updates include additional high-confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.”

If your PC received the June 2026 Patch Tuesday update, chances are the Secure Boot 2023 certificates have already been installed on your device. Below is everything you need to know about checking your certificate status and troubleshooting potential issues.

What is the Secure Boot Certificate Update?

Secure Boot is a firmware-level security feature that verifies the digital signature of every boot component to block rootkits and bootkits from infiltrating the startup chain. The certificates supporting this system were issued in 2011, with their expiration dates as follows:

• Microsoft Corporation KEK CA 2011: June 24, 2026
• Microsoft UEFI CA 2011: June 27, 2026
• Microsoft Windows Production PCA 2011: October 19, 2026

To ensure Secure Boot continues functioning beyond these dates, Microsoft has been deploying replacement 2023 certificates through Windows Update since 2024. The June 2026 update significantly expanded the pool of eligible devices, moving most supported PCs into the “high confidence” category, where updates are applied automatically and safely.

How to Check if Your PC Has the Secure Boot 2023 Certificates

The quickest way to verify your Secure Boot certificate status is through the Windows Security app, a feature added in the April 2026 Windows 11 update. Follow these steps:

1. Open the Windows Security app.
2. Click Device Security from the left menu.
3. Scroll to the Secure Boot section to view your status.

You will see one of the following status indicators:

• Green Checkmark: Indicates that all required certificate updates have been applied, and no action is required.
• Yellow Warning: Indicates the update is pending. Compatibility data or a BIOS update from your PC manufacturer may be required before the certificates can be installed.
• Red Alert: Indicates a specific issue blocking the update, typically due to firmware incompatibility. Check your PC manufacturer’s support page for a BIOS update.

If the Secure Boot section is missing, this likely means Secure Boot is disabled or your PC was installed using a registry bypass on unsupported hardware. For detailed steps on older and unsupported PCs, refer to our Secure Boot verification guide.

What if Your PC Did Not Receive the Secure Boot Update?

Missing the Secure Boot 2023 certificate update does not mean your PC will stop functioning. Microsoft has confirmed that devices without the updated certificates will continue to boot normally and receive regular Windows updates. However, these devices will no longer receive future boot-level security updates, which may expose them to vulnerabilities such as the BlackLotus bootkit over time.

For modern hardware, the update is applied automatically. If your PC shows a yellow warning, wait for the next Windows Update cycle. Microsoft continues to expand device coverage with each monthly update. For older hardware where manufacturers have ceased support, obtaining the 2023 certificates may not be possible. In such cases, checking for a BIOS update is the first step before considering manual interventions.

Your PC May Restart Twice After Updates

It is normal for PCs to restart two or three times during the Secure Boot certificate update process. Microsoft has confirmed this behavior is expected due to the multi-step process involving:

1. Writing new certificates to the firmware.
2. Applying the updated boot manager.
3. Booting Windows with the updated Secure Boot chain.

Additionally, a new folder at C:\Windows\SecureBoot may appear. This is not malware; it is used by Windows to stage cryptographic certificate files before writing them to the firmware. Do not delete this folder.

Windows 10 Users Also Receiving Secure Boot Updates

Despite Windows 10 having reached end-of-life status, Secure Boot updates have been made available to users enrolled in the Extended Security Updates (ESU) program. From the May 2026 update (KB5087544), Windows 10 users began receiving Secure Boot status reporting. However, users not enrolled in the ESU program will not receive these updates via Windows Update.

Switching to ESU requires transitioning from a local account to a Microsoft account. For Windows 11 users, the June 2026 update features the largest rollout yet of Secure Boot certificates.

For IT Admins: Key Details About the June 24 Deadline

As of June 24, 2026, Microsoft Corporation KEK CA 2011 can no longer sign new Secure Boot revocation payloads (DBX updates) with the old key. However, existing signed payloads and manual rollout methods will continue to function. The DB key remains valid until October 19, 2026, allowing Microsoft to sign new boot managers until then.

Microsoft has conducted AMA sessions with engineers to address IT administrator concerns, including device confidence buckets, Intune monitoring, PXE boot scenarios, and virtual machine caveats. For enterprise fleet management, aka.ms/GetSecureBoot remains the primary resource.

Devices in the paused bucket require a BIOS update from the OEM before applying the Secure Boot update. Forcing the update without a firmware update is not recommended and may lead to boot failures or trigger BitLocker recovery.

Windows Latest depends on readers like you. Consider making us your preferred source on Google Discover and Google Search to support our independent reporting.