Your PC’s critical security certificates may be about to expire – how to check
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- Secure Boot protects modern Windows and Linux PCs.
- Microsoft Secure Boot certificates from 2011 expire in June 2026.
- Most PC owners are fine if they install the latest updates.
Last year's end-of-support deadline for Windows 10 was a big test for consumers and IT pros alike. The good news is, everyone passed! The bad news is, there's another crucial expiration date right around the corner.
Every Windows PC designed and built since 2011 supports a feature called Secure Boot. This feature, which is on by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper that allows only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt.
Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11 - for free
All currently supported versions of Windows support Secure Boot, as do an increasing number of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a host of others.
How Secure Boot works
Secure Boot relies on a chain of cryptographic certificates that check each boot component to see whether it's properly signed. One of the most important certificates is the Key Exchange Key (KEK), which sits in the UEFI firmware and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are also essential to the operation of Secure Boot and also need to be updated.
If you bought a PC in the last 15 years, it almost certainly contains Microsoft-issued KEK and UEFI CA certificates from 2011, which are slated to expire in June 2026. To update those certificates, you need access to the root of trust -- the Platform Key, which is managed by the hardware OEM.
When the Secure Boot certificates expire, they are no longer permitted to validate boot software, which means your installed operating system will refuse to start. You can turn off Secure Boot, but doing so means you won't be able to access disks that are encrypted using BitLocker.
In 2023, Microsoft issued replacements for those Secure Boot certificates. But the whole point of the Secure Boot certificate model is that those certificates are not easy to replace -- if they were, every malware developer in the world would be focusing energy on doing exactly that, creating malicious rootkits that run at startup and can't be detected easily.
To prepare for this mass extinction event, Microsoft and its hardware partners have been working for several years, coordinating a global series of updates designed to replace those outdated certificates with the 2023 version. Microsoft has documented progress in a new blog post:
Our ecosystem partners play a critical role in the transition to the new Secure Boot certificates. OEMs have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025 already include the certificates and require no action from customers. OEM partners have also worked closely with our engineering teams to ensure that in-market devices can apply the updates seamlessly and have provided their own guidance to help customers prepare for the transition. As a result of that concerted effort, you might soon see a firmware update that will bring your computer's security core into the modern era, pushing the certificate expiration dates out by another decade or more.
For most people, this process should be unobtrusive. You might already have installed the necessary updates without realizing it.
For this post, I've assembled a list of frequently asked questions, along with authoritative answers.
Why are these certificates expiring?
Fifteen years is a long time. Security standards advance dramatically every year, and it's normal to retire old certificates and replace them with newly issued certificates that meet modern security standards instead of becoming a point of vulnerability.
Does my PC have expiring Secure Boot certificates?
If your computer was designed and built after 2011, it includes Secure Boot certificates. Any device that was designed and built before 2024 probably has a 2011 certificate, which is about to expire.
According to Microsoft, its OEM partners have been provisioning updated certificates on new devices since 2024. If you have a relatively new device, it probably already includes the latest certificates. Copilot+ PCs built in 2025 or later already include the 2023 certificates and don't need an update.
Also: OneDrive Backup just got a massive change for the better - how it works now
To see whether your PC has the updated certificates, open a PowerShell window using administrator credentials and then run the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If the response is True, you're up to date. If the response is False, you need a firmware update.
Will I get an updated certificate automatically?
If your PC was designed and built by a major OEM (Lenovo, HP, Dell, ASUS, Surface), and you are running a supported Windows version, you should receive the necessary update automatically.
According to Microsoft, "For most individuals and businesses that allow Microsoft to manage PC updates, the new certificates will be installed automatically through the regular monthly Windows update process, with no additional action required."
Also: Windows 11 has 1 billion users - and they're furious
Those updates will arrive on almost all PCs running Windows 11 and on PCs running Windows 10 with an Extended Security Updates subscription. You might need a separate firmware update from the PC maker to allow the updated certificates to install.
Microsoft says it will be delivering messages about the certificate update status in the Windows Security app.
For specialized computers, such as servers and IoT devices, you might need to download and install an update from the device maker.
What happens if I don't update those certificates?
According to Microsoft, "When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components, compromising Windows boot security.... Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security."
I have a Mac. Do I need to worry about this?
No.
I have a PC running Linux. Do I need to worry about this?
If you're dual-booting Linux with Windows, Microsoft says it will update the certificates that Linux relies on.
If you've wiped Windows completely, you might not get the latest security updates automatically. You can contact the company that built your PC to see if there's a manual update, or you can turn Secure Boot off. Aside from seeing a scary red padlock on the boot screen, everything else will work as expected.
I built my own PC. Where are my updates?
Talk to the company that manufactured your motherboard. There might be an update, but depending on the age of your PC, the motherboard company might not offer one. You can turn off Secure Boot and Windows will still start up. If you have BitLocker encryption turned on, you might need to supply the recovery key to access data on that disk.
Also: How to find your BitLocker recovery key - and save a secure backup copy before it's too late
Where can I get more information or help?
The official Microsoft FAQ page is here: Secure Boot Certificate Update FAQ. If you run into issues on an unmanaged PC in a home or small office, check with the PC maker or contact Microsoft for support. Enterprise administrators can use commercial support channels.
Post Comment