Windows' original Secure Boot certificates expire in June—here's what you need to do

Source: Ars Technica

Getting the Boot

PCs without the new certificates could eventually have trouble booting new OSes.

Credit: Microsoft

Why Secure Boot matters

Windows 8 is remembered most for its oddball touchscreen‑focused full‑screen Start menu, but it also introduced a number of under‑the‑hood enhancements to Windows. One of those was UEFI Secure Boot, a mechanism for verifying PC bootloaders to ensure that unverified software can’t be loaded at startup.

• Secure Boot was enabled but technically optional for Windows 8 and Windows 10.
• It became a formal system requirement for installing Windows starting with Windows 11 (2021).

Secure Boot has relied on the same security certificates to verify bootloaders since 2011, during the development cycle for Windows 8. Those original certificates are set to expire in June and October 2026, as Microsoft highlighted in a recent post.

The upcoming expiration

The expiration isn’t new news—Microsoft and most major PC makers have been discussing it for months or years, and behind‑the‑scenes work to ready the Windows ecosystem has been ongoing. Renewing security certificates is routine; most users only notice when something goes wrong.

Potential impact if the patches aren’t applied before June 2026

• PCs will continue to function, but expired certificates can:
  • Prevent Microsoft from patching newly discovered Secure Boot vulnerabilities.
  • Stop those PCs from booting or installing newer OS versions that use the new 2023‑era certificates.

“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,” writes Nuno Costa, program manager in Microsoft’s Windows Servicing and Delivery division.
“However, the device will enter a degraded security state that limits its ability to receive future boot‑level protections. As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot‑dependent software may fail to load.”

What you can do

1. Ensure Windows Update is enabled and that your system receives the latest firmware and Secure Boot updates.
2. Check your PC’s firmware version (often listed in the BIOS/UEFI screen) and compare it with the manufacturer’s latest release.
3. Apply any pending BIOS/UEFI updates before the June 2026 deadline.
4. Verify the new certificates are present:
   • In Windows, run certutil -store "TrustedPublisher" and look for entries dated 2023‑2026.

Staying up‑to‑date now will keep your machine out of the “degraded security state” and ensure smooth upgrades to future Windows releases.

Making sure you’ve got the new certificates

For most systems—including older ones that aren’t being actively supported by their manufacturers—Microsoft relies on Windows Update to provide updated certificates. For fully patched, functioning PCs running supported versions of Windows with Secure Boot enabled, the transition should be seamless; you may already be using the new certificates without realizing it.

UEFI‑based systems have a small amount of NVRAM that can store variables between boots. Windows and Linux operating systems that use LVFS for firmware updates should be able to write the new certificates to NVRAM. PCs will only have problems deploying the new certificates if NVRAM is full or fragmented, or if the PC manufacturer ships buggy firmware that doesn’t support this kind of update.

How to see if your PC has the new certificates

As detailed on a Dell support page, the easiest way is to run a PowerShell command that checks the certificate stored in the active db (the one currently used to boot the PC).

1. Right‑click PowerShell (or Terminal) and select Run as administrator.
2. Paste the following command and press Enter:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

• If the command returns True, your PC is using the new certificate – you’re good to go.
• If it returns False, follow the steps below to enable Windows Update to install the new certificates for you.

Steps to enable the new certificates

• Supported Windows version

  • Windows 11: version 24H2 or 25H2.
  • Windows 10: you must enroll the PC in the Extended Security Updates (ESU) program (consumers can do this for free after a few hoops).

• Secure Boot enabled

  • Open Run (Win + R), type msinfo32, and press Enter.
  • In the System Information window, ensure Secure Boot State is On.

• Firmware update

  • Check the PC manufacturer’s website for a BIOS/UEFI update. Firmware updates often fix bugs that prevent the new certificates from being installed.

• Factory reset Secure Boot keys (optional, for older PCs)

  • For systems that originally shipped with Windows 8 or Windows 10, a factory reset of Secure Boot keys from the BIOS can free up NVRAM space. See the guidance on UEFI‑DB handling.
  • If BitLocker is enabled, make sure you have your recovery key handy before resetting: How to retrieve a BitLocker recovery key.

Checking the “default db”

The default db shows whether the new Secure Boot certificates are baked into your PC’s firmware. Even if you reset Secure Boot settings to BIOS defaults, a built‑in certificate will still allow you to boot operating systems that use it.

1. Open PowerShell/Terminal as Administrator again.
2. Run:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

• True → Your BIOS already contains the new certificates.
• False → Your firmware does not yet include them; you’ll need a BIOS/UEFI update (or the steps above) to get them.

Microsoft’s Costa says that “many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates” and won’t need any update. PCs several years older may obtain the certificates via a BIOS update.

Manufacturer resources

• Dell – Secure Boot certificate expiration info
• HP – Secure Boot update guidance
• Lenovo – Secure Boot certificate support
• Microsoft – Surface Secure Boot certificates
• Asus – How to get new certificates (via Windows Update, MyAsus app, or Asus website)

The oldest listed PCs generally date back to 2019‑2020. If your PC shipped with Windows 11 out of the box, a BIOS update with the new certificates should be available, though not every system meeting the Windows 11 requirements has one.

Getting help

• Home users who can’t install the new certificates should contact Microsoft Customer Support.
• IT professionals can consult the detailed documentation:
  • General overview: (link omitted in source)
  • Secure Boot playbook for enterprises: (link omitted in source)

“The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup,” writes Costa. “By renewing these certificates, the Windows ecosystem…[text truncated in source]”

“m is ensuring that future innovations in hardware, firmware, and operating systems can continue to build on a secure, industry‑aligned boot process.”

Andrew Cunningham – Senior Technology Reporter at Ars Technica
Focus: consumer tech, computer hardware, and in‑depth reviews of operating systems like Windows and macOS.
Location: Philadelphia.
Co‑host of the weekly book podcast Overdue.

27 Comments