Secure Boot certificates on Windows are expiring in June 2026, and you’ve probably already seen the news going around. Some of the coverage out there makes it sound like your PC is about to explode or something, but it’s not that dramatic. Your PC is not going to stop working. That said, it is something worth taking care of, and the good news is it only takes a few minutes to sort out. Let me walk you through exactly what’s going on and what you need to do.
Key Takeaways
- Secure Boot certificates created in 2011 are expiring in June 2026, affecting most Windows 10 and Windows 11 systems released since 2012.
- Your PC will not stop booting after the certificates expire, but it will enter a degraded security state and lose the ability to receive future boot-level protections.
- Most users will receive the updated certificates automatically through Windows Update, but you can check your status and update manually in just a few minutes using PowerShell.
Requirements
- A PC running a supported version of Windows 10 or Windows 11 (or Windows Server 2022/2025)
- Administrator access to run PowerShell or Terminal commands
- Secure Boot enabled in your BIOS or UEFI settings (if Secure Boot is not enabled on your system, none of this applies to you)
Why Do You Need to Update Your Secure Boot Certificates?
Secure Boot is a security feature built into your PC’s firmware. When you turn on your computer, before Windows even starts loading, Secure Boot checks that the software trying to run is digitally signed by a trusted source. Think of it like a bouncer at a club checking IDs at the door. If the ID is valid, you get in. If it’s not, you stay outside — or in the case of Secure Boot, the system simply won’t boot.
The certificates that Secure Boot uses to do those checks were created back in 2011. After 15 years, those certificates are now expiring in June 2026. Microsoft actually posted about this back in June 2025, so there’s been almost a year of notice. There are two certificates expiring in June 2026 and one more expiring in October 2026. New certificates need to be installed to maintain that protection and keep things running smoothly going forward.
Who Is Affected by the Secure Boot Certificate Expiry?
According to Microsoft, the affected systems include both physical machines and virtual machines on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, and other supported server versions — basically any system released since 2012, including Long Term Servicing Channel (LTSC) editions.
The systems that are not affected are Copilot Plus PCs released in 2025, as those already have the newer certificates in place. It’s also worth noting that if you dual-boot Windows and Linux, Windows will take care of updating the certificates that Linux relies on as well. Mac OS is technically affected, but it falls outside the scope of Microsoft support.
What Happens If You Don’t Update Your Secure Boot Certificates?
This is the question most people are asking, and Microsoft is pretty clear about it. If your device doesn’t receive the new Secure Boot certificates before the old 2011 certificates expire, your PC will continue to function normally and your existing software will keep running. Your PC is not going to stop booting.
What does happen is your device enters a degraded security state. This limits its ability to receive future boot-level protections, and over time you might start running into compatibility issues with hardware, firmware, or software that expects the new certificates to be present.
I like to think of it this way: it’s a lot like having a driver’s license that’s expired. Your car will still work and you can still drive it, but you’re technically not covered. So you should get the license renewed.
There’s also a known vulnerability called Black Lotus that’s worth being aware of in this context. According to Microsoft’s security write-up on it, Black Lotus can only be deployed to a device where the threat actor has already gained privileged or physical access — so it’s not something you’re going to accidentally pick up just by browsing the internet. But keeping your certificates updated is still good security practice regardless.
Important: If you don’t install the updated certificates before June 2026, you don’t lose the ability to update them entirely. It just means there will be a gap — from the point the old certificates expire until you actually install the new ones — where your system is in a reduced security state. Installing the updates at any point will still bring you back up to a protected state.
How to Check and Update Your Secure Boot Certificates
Here are the steps to check whether Secure Boot is enabled on your system, whether your certificates are already up to date, and how to install them if they’re not. I recommend going through these checks just so you know where you stand.
Step 1: Open Terminal or PowerShell as Administrator
Right-click the Start menu icon in the taskbar and select Terminal (Admin) or Windows PowerShell (Admin). This will open the terminal window with the admin privileges needed to run these commands.
Step 2: Check If Secure Boot Is Enabled
Run the following command in the terminal:
Confirm-SecureBootUEFI- True — Secure Boot is enabled on your system. Continue to Step 3.
- False — Secure Boot is not enabled. Since Secure Boot isn’t checking any certificates, none of this applies to you and you don’t need to do anything further.
Note: If you want to enable Secure Boot, you’ll need to go into your BIOS or UEFI settings and enable it from there. This isn’t something you do from within Windows itself.
Step 3: Check If Your Secure Boot Certificates Are Already Up to Date
If Secure Boot is enabled, run this next command to check whether the updated certificates are already installed on your system:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'- True — The updated Secure Boot certificates are already installed on your system. You’re good to go and don’t need to do anything else.
- False — The updated certificates are not yet installed. Continue to Step 4 to install them.
Step 4: Install the Updated Secure Boot Certificates
If the second command returned false, here are two ways to get the updated certificates installed.
Option 1: Install via Windows Update (Recommended)
The easiest way is to simply run Windows Update. Go to Settings > Windows Update and install the latest available updates. For most individuals and businesses that let Microsoft manage their PC updates, the new certificates will be installed automatically through the regular monthly update process with no extra action needed. If you’re already fully up to date, the certificates should already be there.
For users of Winhance, my free Windows enhancement utility, there’s a Windows Update policy setting inside the app that gives you four options for how updates are handled. If you’ve set yours to Paused for a Long Time or Disabled, there’s a real chance you haven’t received the updated certificates yet. In that case, I’d strongly recommend going back into Winhance and switching the policy to Security Updates Only or Normal, then getting your computer up to date so it can download the latest certificates.
Tip: If you’ve previously disabled automatic Windows updates, now is a good time to temporarily re-enable them or manually check for updates to make sure your Secure Boot certificates get updated before the June 2026 deadline.
Option 2: Manually Install via Registry Entry and Scheduled Task
If you’d rather not go through Windows Update, you can manually trigger the certificate installation by running the following command in your elevated terminal. The first part adds a registry entry that tells Windows a Secure Boot update is available, and the second part triggers the scheduled task to install it:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f; Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"You should see a message saying the operation completed successfully. This works even if you’ve already got the latest certificates installed — it will simply report success either way.
Important: After running this command, you need to restart your PC twice for it to fully take effect. The first restart applies the certificate update, and the second restart clears the boot manager cache and finalizes everything. I know that sounds a bit odd, but that’s just how this particular update works.
Once you’ve completed both restarts, open the terminal again and re-run the command from Step 3. It should now return True, confirming that the updated certificates are installed.
One More Thing: Check Your Old Windows Installation USB Drives
There’s one more thing worth mentioning that a lot of people overlook. If you’ve got an old Windows installation USB drive that you created a while back, it was signed with the old 2011 certificates. When those certificates expire in June 2026, that USB might not boot anymore on a system with Secure Boot enabled.
So if you’ve got an older Windows USB sitting in a drawer somewhere, it might be worth creating a fresh one using the latest Windows ISO available directly from Microsoft, just to be safe.
Conclusion
To recap: Secure Boot certificates from 2011 are expiring in June 2026. Your PC is not going to stop working, but you should get the updated certificates installed because it keeps you protected at the boot level and avoids potential compatibility issues down the road. Most people with Windows Update running normally will get the new certificates automatically without doing a thing. But if you’ve got updates paused or disabled, you’ll want to handle this before the deadline hits.
Run the two PowerShell commands to check your current status first, and then decide whether you need to take action. It really doesn’t take long. A few minutes of your time now means you’ll have the peace of mind knowing your system is covered.
Frequently Asked Questions (FAQ)
Will my PC stop working when Secure Boot certificates expire in June 2026?
No, your PC will not stop working or stop booting when the old certificates expire in June 2026. What happens is your device enters a degraded security state, which limits its ability to receive future boot-level protections. Over time you may also run into compatibility issues with hardware, firmware, or software that expects the new certificates to be there. It’s not an emergency for most home users, but you should still get the certificates updated.
Do I need to do anything if Secure Boot is not enabled on my PC?
No. If Secure Boot is disabled on your system, it’s not checking any certificates at all, so none of this applies to you. You can confirm by running Confirm-SecureBootUEFI in an admin PowerShell window — if it returns False, Secure Boot is off and this update has no impact on your system.
How do I know if my Secure Boot certificates are already updated?
Open Terminal or PowerShell as administrator and run [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'. If it returns True, the updated certificates are already installed and you don’t need to do anything else. If it returns False, follow the steps in this guide to install them via Windows Update or the manual command.
What is Black Lotus and should I be worried about it?
Black Lotus is a known bootkit vulnerability that Secure Boot helps protect against. According to Microsoft’s security documentation, it can only be deployed to a device where a threat actor has already gained privileged or physical access to the machine — so it’s not something you’re going to randomly pick up while browsing the internet. For most home users the direct risk is low, but keeping your Secure Boot certificates updated is still solid security practice and well worth the few minutes it takes.
What happens if I miss the June 2026 deadline for updating my Secure Boot certificates?
You don’t permanently lose the ability to update if you miss the deadline. What happens is there will be a period — from when the old certificates expire until the point you actually install the new ones — where your system is in a degraded security state. Once you do install the updates, your system will be protected again. So while updating before June 2026 is ideal, it’s still far better to update late than to never update at all.
