In this article, we will talk about the Windows 11 Secure Boot Certificates that are expiring in 2026 and what you need to do.
As stated by Microsoft, Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time.
Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software. More info here.
If you don’t get these New Secure Boot Certificates you can expect the following:
- New Secure Boot and Boot Manager protections cannot be applied.
- Vulnerability fixes for the early boot environment – such as BitLocker bypass mitigations or Secure Boot revocations – will not be available.
- Some third‑party components that rely on Microsoft Secure Boot trust may fail to update if they require newer certificate entries.
Most personal Windows devices will automatically receive the new Secure Boot certificates through Microsoft‑managed updates. For devices managed by an organization, IT administrators should follow Microsoft’s Secure Boot certificate update guidance. Some devices may require an OEM firmware update to apply the new certificates correctly. For any device, personal or organization‑managed, contact your OEM for information about required firmware updates, keeping in mind that such updates may only be available for devices that are still within their support period. Keeping your device up to date ensures it continues to receive the full protections Secure Boot is designed to provide.
For additional information from Microsoft, you can check this article from the Microsoft Blog.
How to Check if you have the New Secure Boot Certificates
Open Powershell as Administrator and run the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)If you received the True message, it means that you already have the latest Secure Boot Certificates. If you receive False, it means that you either need to Update Windows, or Download the Latest Drivers from the Manufacturer.
Most personal Windows devices will automatically receive the new Secure Boot certificates through Microsoft‑managed updates. For devices managed by an organization, IT administrators should follow Microsoft’s Secure Boot certificate update guidance. Some devices may require an OEM firmware update to apply the new certificates correctly. For any device, personal or organization‑managed, contact your OEM for information about required firmware updates, keeping in mind that such updates may only be available for devices that are still within their support period. Keeping your device up to date ensures it continues to receive the full protections Secure Boot is designed to provide.
Starting in April 2026, the Windows Security app displays additional information about the status of Secure Boot certificate updates on your device. You can find this under Device security > Secure Boot.
Microsoft Secure Boot certificates, originally issued in 2011, are approaching expiration in 2026. Updated 2023 certificates are being delivered automatically through Windows Update. The Windows Security app now shows whether your device has received these updates, what your current status is, and whether any action is needed.
Secure Boot certificate states you might see include the following:
Fully Updated
Your device has received all required Secure Boot certificate updates, and the updated Boot Manager has been installed. No action is needed. The Secure Boot badge shows a green checkmark.
Not yet Updated
Your device is running with an older Secure Boot certificate. The Secure Boot certificate update is expected to be applied automatically through Windows Update. Make sure your device is connected to the internet and has the latest Windows updates installed.
Starting in May 2026, in addition to informational text about your device’s Secure Boot status, a yellow caution badge might appear if additional action is required. This can happen when the update is blocked by a device’s hardware or firmware limitation.
Requires action
A security update exists for the Windows boot experience that cannot be delivered to your device’s current boot configuration. This state appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates. This could occur as early as June 2026, when some of the current Secure Boot certificates begin to expire. When this occurs, the Secure Boot badge changes to a red stop icon.
These feature enhancements are rolling out automatically starting in April 2026. When these features are enabled on your device, you’ll see Secure Boot certificate status inside the Windows Security app (Windows Security > Device security > Secure Boot), including visual indicators that reflect the current state.
Beginning in May 2026, additional improvements will become available, including notifications outside the app (such as system alerts) and additional in‑app guidance and controls to help you respond to Secure Boot warnings.
For more information related to these warnings, you can check this article from the Microsoft Support Website.
For a more in-depth tutorial about Windows 11 Secure Boot, you can watch the video below from the youtube channel.
11
20
