The certificates behind Windows Secure Boot have been running for 15 years. They were issued in 2011, and they start expiring in late June 2026. Most PCs will get the update automatically. Some will not. And if your device misses the window, it does not just stop working — it quietly falls behind on every boot-level security fix that comes after.
The deadline is real. Microsoft released a recovery environment patch on May 12 specifically to get ahead of it. Here is what is happening and exactly how to check your machine.
What Secure Boot Actually Does
Secure Boot runs before Windows even loads. Every time you turn on your PC, it checks cryptographic signatures on the software trying to run at startup. If anything does not match a trusted certificate stored in your firmware, it blocks it.
That is how it stops bootkits — malware that hides below the operating system where antivirus software cannot see it. The most well-known example is BlackLotus, a UEFI bootkit that exploited the boot path and was directly linked to CVE-2023-24932. Standard antivirus tools cannot detect or remove it. Secure Boot can.
The certificates that power all of this were issued in 2011. They expire in late June 2026. New 2023 certificates need to replace them before that happens.
What Happens If You Miss It
Your PC will not stop booting. Windows will keep loading normally, and standard updates will still install.
What stops working is anything security-related at the boot level. No more updates to the Windows Boot Manager. No new Secure Boot database entries. No revocation lists for compromised certificates. No mitigations for newly discovered boot vulnerabilities.
Over time, that adds up. Every new bootkit or firmware exploit that gets discovered after June stays unblocked on a machine still running the 2011 certificates. The device does not break. It just stops being defended at the layer that matters most.
There is also a compatibility angle. Third-party software signed with the new 2023 certificates will eventually stop being trusted by devices still on the old chain. Dual-boot setups and custom bootloaders are the first things that run into problems.
Who Gets the Update Automatically
Most people do not need to do anything.
If you are on Windows 11 and running regular Windows Updates, the 2023 certificates are being delivered through the standard monthly update process. Devices built since 2024 almost certainly already have them. Microsoft says the rollout has been phased and data-driven to avoid compatibility issues, with OEM coordination from HP, Lenovo, Dell, and others.
Windows 10 is a different story. Microsoft ended mainstream support for Windows 10 in October 2025. If you are on Windows 10 without Extended Security Updates enrolled, you are not receiving Windows Updates and will not receive the new certificates automatically. That machine will hit June without the update unless you act.
How to Check Your Status Right Now
Step 1 — Windows Security App
This is the fastest check. Microsoft added a Secure Boot status indicator to the Windows Security app in April 2026.
- Open the Start Menu and search for Windows Security
- Click Device security in the left panel
- Click Secure Boot
You will see one of three icons next to the Secure Boot status:
- Green checkmark — Your device has the 2023 certificates. You are done.
- Yellow caution icon — The update is pending or partially applied. Run Windows Update.
- Red stop icon — The certificates have expired or are missing. Action is required.
Step 2 — Run Windows Update
If your status is yellow, this is your next step.
- Open Settings → Windows Update
- Click Check for updates
- Install everything available, including optional updates
- Restart when prompted
Worth knowing: the Secure Boot certificate update may trigger one additional automatic restart during installation. That is expected behavior, not an error.
Step 3 — PowerShell Verification (Optional)
If you want to confirm the update applied correctly without navigating the UI, open PowerShell as Administrator and run:
Confirm-SecureBootUEFI
True means your device is using the updated Secure Boot. False means the update has not applied yet.
You can also check the registry key directly:
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot /v UEFICA2023Status
The value should read updated. If it does not, the certificates have not been applied.
Step 4 — Force the Update Manually
If your device is eligible but the automatic update has not landed yet, Microsoft has published a workaround that forces it. Open Command Prompt as Administrator and run:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Then rerun Windows Update and restart.
Step 5 — Install a BIOS or Firmware Update
Some devices need a firmware update from their manufacturer before the certificate migration can complete. This is more common on machines built before 2024.
Check your manufacturer's support portal directly:
- ASUS — asus.com/support/faq/1055903
- Dell — dell.com/support
- HP — support.hp.com
- Lenovo — support.lenovo.com
Look for a BIOS or UEFI firmware update released in 2025 or 2026. Download it, install it, and then return to Step 2 to run Windows Update again.
If Event Viewer shows Event ID 1795 in the System log under Windows Logs, that means Windows tried to hand off the certificates to firmware and failed. That is a firmware update issue, not a Windows issue. The manufacturer's portal is the fix.
If You Run Linux or Dual-Boot
Linux uses Secure Boot through a shim layer that relies on the Microsoft UEFI CA certificate to validate it. When the 2011 certificates expire, Linux shims compiled against them will stop being trusted.
Run a firmware update through your manufacturer or through the Linux Vendor Firmware Service first:
sudo fwupdmgr refresh
sudo fwupdmgr update
Then make sure your distribution is on a supported release that has been recompiled with the 2023 Microsoft keys. For Red Hat, that is RHEL 9.7 or newer.
If you are on an older distribution and cannot update, this is the time to do it. June is close.
What About Windows 10?
If you are still on Windows 10 and not enrolled in Extended Security Updates, the certificate update is not coming. You need to either upgrade to Windows 11, enroll in ESU if your organization qualifies, or accept that the device will not receive boot-level security updates going forward.
Microsoft ended mainstream Windows 10 support in October 2025. The Secure Boot deadline is one more reason the clock on those installs is running out.
Summary
Microsoft Secure Boot certificates issued in 2011 begin expiring in late June 2026. This is the first time Windows has done a large-scale Secure Boot certificate update. Most Windows 11 users receive the 2023 certificates automatically through Windows Update.
Devices that miss the update will continue to boot normally but will stop receiving boot-level security updates, revocation lists, and mitigations for new bootkit vulnerabilities like BlackLotus.
To check your status: open Windows Security, go to Device security, and check the Secure Boot badge. Green means done. Yellow means run Windows Update. Red means action is required.
For devices that need a manual push: run the registry command above and then run Windows Update. For devices that need a firmware update first: check your manufacturer's support portal for a 2025–2026 BIOS or UEFI update.
Windows 10 users without ESU will not receive the update automatically. Linux and dual-boot users need to update firmware and ensure their distro ships a shim compiled with the 2023 Microsoft keys.
The deadline is late June. The check takes less than two minutes.
Stay secure!