You may not be aware, but there's an impending deadline for Windows Secure Boot. Come June 2026, and you and your Windows PCs could be affected by this potential issue. When configured, Secure Boot verifies the system before Windows even boots, making full use of cryptographic certificates, and this is what is set to expire later this year. Devices without updated certificates lose access to new Secure Boot protections and updates, but continue booting Windows normally.
But fear not, as we're here to quickly walk you through what's going on (and why), as well as how to prepare your Windows PC for the upcoming switch.
What's Secure Boot anyway?
And why does any of this matter?
Those are two very good questions. If you've never had to reinstall Windows or so much as fire up a UEFI BIOS, there's a chance you didn't even know Secure Boot was running on your PC. Before Windows even loads up, Secure Boot is designed as a form of protection built into modern UEFI firmware. This verifies that critical components haven't been messed with to avoid any unwanted consequences.
Cryptographic signatures are used to verify essential boot files. These must match trusted certificates stored within the firmware. If these don't match for whatever reason, the system will immediately halt the boot process before Windows has even had the chance to load a single file. These components are signed by Microsoft's private keys, and certificates are stored in firmware to determine what is allowed to run.
Two key databases are used for this process. First, we have the Authorized Signatures (DB) database, which contains certificates that define which bootloaders and drivers are trusted. Then we have the Key Exchange Key (KEK) database to control who is allowed to update the Secure Boot trust databases. Just like SSL certificates used to secure connections with websites and your browser, these also have expiration dates. This is by design, but it also means you need to be renewing them ahead of time.
If you don't have the right certificates in place, systems enter reduced protection mode with a potential for a boot failure. You also likely won't have access to future improvements made to Secure Boot. So it could be a big deal.
Which certificates are being phased out?
A few Microsoft certificates are on their way out, with two closing up shop in June and a third in October. Don't worry, as Microsoft has some new certificates already available to replace these.
|
Expiration |
Old certificate |
New certificate(s) |
|---|---|---|
|
June 2026 |
Microsoft Corporation KEK CA 2011 |
Microsoft Corporation KEK CA 2023 |
|
Microsoft UEFI CA 2011 |
Microsoft UEFI CA 2023 Microsoft Option ROM UEFI CA 2023 |
|
|
October 2026 |
Microsoft Windows Production PCA 2011 |
Microsoft Corporation KEK CA 2023 |
You may have noticed that the Microsoft UEFI CA 2011 certificate has been split. This has been done to further improve security granularity and tighten trust controls. It's not that as soon as your PC has expired certificates, Windows will outright refuse to boot, but your PC may end up losing access to future Secure Boot protections and updates.
How to check your certificates
It's easy to tell which certificates are currently being used by the Windows boot manager by using PowerShell.
(Get-AuthenticodeSignature "C:\Windows\Boot\EFI\bootmgfw.efi").SignerCertificate |
Format-List Subject,Issuer,NotAfter,Thumbprint
To check eligibility for Secure Boot updates:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" |
Format-List
If AvailableUpdates shows a value other than zero, your system is eligible to receive updated certificates, and you have nothing to worry about. If you see a zero, I recommend immediately pursuing firmware and Windows updates.
How (and why) to enable Secure Boot for Windows 11
Windows 11 comes with Secure Boot enabled by default, but if for some reason your PC has it turned off, here's how to enable it.
Your PC will become vulnerable
It's simply a matter of when
As aforementioned, you won't immediately hit a brick wall when booting up your PC in July and see that it refuses to load up Windows 11. The issue is uncertainty. Your PC could stop working at some point ... it's just we don't know when. This problem will occur when an update changes what the system is willing to trust. If Secure Boot blocks the startup process, you will be left with what recovery options are available.
To its credit, Microsoft has good grounds to make this change, as these older certificates have been in circulation since 2011, back when Windows 8 was around. We've seen some serious vulnerabilities since then, with one even forcing Redmond to make some major changes to how it handles certificates and Secure Boot to avoid vulnerabilities from being exploited again. The company has already rolled out updated certificates.
There's a good chance your PC already has the new certificates, which can be automatically downloaded through modern firmware if Secure Boot is already enabled and the PC has a solid update history with Windows and firmware. Windows Update (KB5074109 and KB5073455) would be the channel for these new certificates to arrive, but it's up to the system for them to be applied correctly. Older firmware or some unusual configuration may require additional steps that not everyone undertakes.
It may be time to give Linux a try
Windows isn't without its faults, and this is yet another nail in the coffin for Windows 11, so if you're sick and tired of Microsoft's OS, why not give Linux a try? The free and open OS is more accessible than ever, with some excellent distros available. If you were to try one out today, I'd strongly recommend Ubuntu, Linux Mint, or Pop!_OS.