|

Windows Secure Boot Certificates Expire in June 2026 – What to Do

Windows Secure Boot certificates expiring June 2026 security warning tutorial

Secure Boot certificates on Windows 10 and Windows 11 that were issued in 2011 are expiring in June 2026. Your PC will not stop booting — existing software keeps running — but the device enters a degraded security state and stops receiving boot-level protections. Most systems will get the new Windows UEFI CA 2023 certificate automatically through Windows Update. You can verify yours in 60 seconds with two PowerShell commands, and install the new certificates manually with a single registry-and-scheduled-task command if needed.

Applies to: Windows 10 (22H2), Windows 11 (23H2, 24H2, 25H2), Windows Server 2022 and 2025 with Secure Boot enabled | Last updated: April 19, 2026

Your Windows Secure Boot Certificates Expire in June 2026 — What You Need to Do

Key Takeaways

  • Two Secure Boot certificates signed in 2011 expire in June 2026, with a third expiring in October 2026. Microsoft announced this in June 2025 and has been rolling the replacement certificates out since early 2026.
  • Every Windows 10, Windows 11, Windows Server 2022/2025, and LTSC device released since 2012 with Secure Boot enabled is affected. Copilot+ PCs from 2025 are not — they shipped with the new certificates already.
  • If your PC has Secure Boot disabled in BIOS/UEFI, none of this applies — Secure Boot is not checking any certificates to begin with.
  • Devices that miss the deadline do not stop booting. They enter a degraded security state until the new certificates are installed. The fix still works after the deadline — it just leaves a gap of unprotected time.
  • Old Windows installation USB drives signed with the 2011 certificates may fail to boot on Secure Boot systems after June 2026. Re-create them from a fresh ISO before the deadline.

Quick Steps

  1. Right-click the Start button and open Terminal (Admin).
  2. Run Confirm-SecureBootUEFI. If it returns False, Secure Boot is disabled and you can stop here.
  3. If it returns True, run the “Windows UEFI CA 2023” check command (below). True = already patched, nothing to do. False = keep going.
  4. Install the new certificate by running Windows Update, or by running the manual reg add + Start-ScheduledTask command below.
  5. Restart your PC twice, then re-run the check command to confirm the result is now True.

In This Guide

Why the Secure Boot Certificates Need to Be Updated

Secure Boot is a firmware-level security feature. Before Windows loads, Secure Boot checks that the bootloader and early boot components are signed by a trusted certificate. Think of it as a bouncer at the door checking IDs — a valid signature gets in, an invalid one does not. If the signature fails, the system refuses to boot.

The certificates Secure Boot relies on were issued in 2011. Fifteen years later, those certificates are reaching their expiry date. Per Microsoft’s “Act Now” Windows IT Pro blog post, two certificates expire in June 2026 and a third in October 2026. The replacements — including Windows UEFI CA 2023 — need to be provisioned into the UEFI firmware’s db variable before the old ones lapse.

Who Is Affected by the Secure Boot Certificate Expiry

Every device with Secure Boot enabled and Windows installed since 2012 is in scope. Per Microsoft’s “Refreshing the Root of Trust” blog post, this includes:

  • Windows 10 (all supported versions, including LTSC)
  • Windows 11 (all supported versions)
  • Windows Server 2022 and 2025, plus earlier supported server versions
  • Virtual machines on any of the above

Not affected:

  • Copilot+ PCs released in 2025 — they shipped with the new certificates pre-provisioned.
  • Systems with Secure Boot disabled — nothing is being checked, so nothing can expire.

If you dual-boot Windows and Linux, Windows will update the certificates Linux relies on (specifically shim). macOS is technically affected but falls outside Microsoft’s support scope.

What Happens If You Do Not Update in Time

Microsoft is clear on this point, and a lot of the panicky coverage online overstates it. Quoting directly from the Windows Experience blog: if a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally and existing software will keep running.

What you do lose is the ability to receive future boot-level protections, and over time you may run into hardware, firmware, or software that expects the new certificates to be present. I think of it like driving with an expired license — the car still drives, but you are not covered if anything goes wrong.

The practical risk is the Black Lotus bootkit (CVE-2022-21894). Per Microsoft’s own security write-up, Black Lotus can only be deployed against a device where the attacker already has privileged or physical access — it is not a drive-by exploit. For most home users the immediate risk is low, but keeping Secure Boot current is still good security practice.

Important: Missing the June 2026 deadline does not permanently lock you out of updating. It just means there is a window of degraded security between the old certificates expiring and the new ones being installed. Installing the update at any later point still brings the system back to a protected state.

Check and Update Your Secure Boot Certificates

Here are the exact commands I use. Run them in order and stop at the first point that says you are done.

Step 1: Open Terminal (Admin)

Right-click the Start button and choose Terminal (Admin) (on Windows 11) or Windows PowerShell (Admin) (on Windows 10). Accept the UAC prompt.

Step 2: Check if Secure Boot Is Enabled

Confirm-SecureBootUEFI
  • True — Secure Boot is enabled. Continue to Step 3.
  • False — Secure Boot is off. None of this applies. Stop here.

Tip: If you want Secure Boot on, enable it in the BIOS/UEFI firmware — it is not a Windows setting. Reboot into your firmware, find the Secure Boot option, and set it to Enabled. Save and exit.

Step 3: Check for the Windows UEFI CA 2023 Certificate

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
  • True — The new certificate is already in your firmware’s db variable. You are done.
  • False — The new certificate is not installed yet. Continue to Step 4.

Step 4a: Install via Windows Update (Recommended)

Go to Settings > Windows Update and install every pending update. For most home and business PCs that let Windows manage updates, the new Secure Boot certificates roll out automatically as part of the regular monthly patch cycle — no extra action needed.

If you use my Winhance utility, check the Windows Update policy setting. If you set it to Paused for a Long Time or Disabled, you likely have not received the new certificates. Switch the policy back to Security Updates Only or Normal, then run Windows Update. Once the certificates are in place you can switch the policy back if you want.

Tip: If you previously locked Windows to a specific version or disabled automatic updates, temporarily re-enable Security Updates and run Windows Update before the June 2026 deadline so the Secure Boot update flight can reach you.

Step 4b: Install Manually via Registry + Scheduled Task

If you would rather trigger the certificate install directly, run this in the elevated terminal. The first part sets the AvailableUpdates registry flag that tells Windows a Secure Boot update is pending; the second part runs the scheduled task that applies it:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f; Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

You should see “The operation completed successfully.” The command is safe to run even if the new certificates are already installed — it simply reports success either way.

Important: Restart your PC twice after running the manual command. The first reboot applies the certificate update to firmware; the second clears the boot manager cache and finalises the change. Both restarts are required — one is not enough.

Step 5: Verify

After both restarts, open Terminal (Admin) again and re-run the Step 3 command:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

It should now return True. If it still returns False after two restarts, your OEM firmware may require a BIOS update to accept the new certificates — check your motherboard or laptop vendor’s support page for a 2026 BIOS/UEFI release.

Recreate Old Windows Installation USB Drives

This one gets overlooked. If you have an old Windows installation USB sitting in a drawer, its bootloader was signed with the 2011 certificates. After June 2026, Secure Boot-enabled systems may refuse to boot from it.

Create a fresh USB using a current Windows ISO before the deadline. My guides on downloading the Windows 11 ISO and creating a bootable USB with Rufus walk through the full process. If you prefer my own tools, WimUtil handles the ISO download and USB creation in a single app.

Related Guides

Frequently Asked Questions

Will my PC stop working when Secure Boot certificates expire in June 2026?

No. Microsoft has confirmed the PC will continue to function normally and existing software will keep running. What happens is the device enters a degraded security state and loses the ability to receive future boot-level protections. It is not an emergency for most home users, but you should still get the update applied.

Do I need to do anything if Secure Boot is disabled on my PC?

No. If Confirm-SecureBootUEFI returns False, Secure Boot is not checking any certificates, so the expiry does not affect you. You only need to act if Secure Boot is enabled.

How do I know if the update is already applied?

Run [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' in an admin PowerShell window. True means the new certificate is in your firmware’s db. False means you still need to install it.

What is Black Lotus and should I be worried about it?

Black Lotus is a bootkit that Secure Boot is designed to defend against (CVE-2022-21894). Per Microsoft’s security write-up, it can only be deployed on a system where the attacker already has privileged or physical access — it is not a drive-by threat. For most home users the direct risk is low, but keeping Secure Boot certificates current is still the right call.

What if I miss the June 2026 deadline?

You do not permanently lose the ability to update. There will simply be a gap — from the day the old certificates expire until you install the new ones — where your system is in a degraded security state. Running the install command after the deadline still works and still brings you back to a protected state.

Will this break my dual-boot Linux install?

No. Microsoft has said that on Windows + Linux dual-boot systems, Windows will update the certificates Linux relies on (the shim bootloader chain) at the same time. Your Linux install keeps booting after the update.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *