windows 11 certificates

Question

I still use an i7-8750H based laptop mainly as it has UHD graphics. Windows has not griped about the machine even with fresh installs. The CPU has TPM2.0 and secure boot etc enabled as well as CPU features such as C-states and turbo boost. This way the machine is powerful and finely grained for best performance.

Recently some comments about Windows certificates expiring. AFAIK my machine's 1.27 version UEFI handles enrolment fine. WIndows has rebooted lots so AFAIK it has updated the appropriate UEFI tables. My UEFI was last updated circa 2022. AFAIK Windows 11 can update as needed as my UEFI was updated early after Windows 11 shipped.

Answer 1

The Secure Boot Keys will not expire until June 2026, Microsoft have indicated they will have all keys automatically updated before that happens.

They have announced a new update is being released slowly around the world at the moment named 'Secure Boot Allowed Key Exchange Key (KEK)' when you see that update in the Settings app, download and install it, there is nothing further you need to do.

Answer 2

For a Windows 11 home device like this laptop, Secure Boot certificate expiration in 2026 mainly affects future boot‑level security protections, not normal day‑to‑day use, and most systems will be updated automatically.

Key points for this scenario:

1. What is happening

• The Secure Boot certificates originally issued in 2011 start expiring in June 2026.
• If they are not updated, the device will still boot and run Windows 11 normally, and regular Windows Updates (apps, features, drivers) will continue to install.
• What is lost are new protections for the early boot process (Windows Boot Manager, Secure Boot databases and revocation lists, mitigations for new boot‑level vulnerabilities).

2. Impact if the certificates are not updated

• The device continues to start and operate normally.
• Standard Windows updates continue, except for boot‑related security components that require the new certificates.
• Over time, the device becomes less protected against new boot‑level threats; scenarios relying on Secure Boot trust (BitLocker hardening, boot‑level code integrity, some third‑party bootloaders/Option ROMs) may be affected.

3. How updates are delivered for a home Windows 11 device

• For Windows 10/11 Home, Pro, and Education devices that receive updates directly from Microsoft (typical home setup), the new 2023 Secure Boot certificates are delivered through regular Windows Update.
• For most users on supported Windows systems, no manual action is needed; the OS and, where required, OEM firmware updates handle the certificate rollout.

4. What to do on this laptop

• Keep Windows Update enabled and fully up to date. Microsoft is rolling out the new certificates gradually through June 2026, prioritizing Home and Pro systems.
• Do not disable Secure Boot to work around any certificate issues; that would reduce protection and is explicitly discouraged.
• If the OEM releases a newer UEFI/firmware update that mentions Secure Boot or certificate updates, applying it will help ensure the platform can fully use the new certificates.

5. If certificates were to expire without being updated

• The laptop would still boot and run Windows 11 and keep receiving most updates.
• It would simply stop receiving new Secure Boot / Boot Manager security changes and revocations, so boot‑chain protection would gradually lag behind current protections.

In short, for a properly functioning Windows 11 home laptop that is getting updates from Microsoft and has Secure Boot enabled, the practical step is to stay current with Windows Update (and OEM firmware if available); no extra manual certificate management is required in normal home use.

---

References:

• When Secure Boot certificates expire on Windows devices
• Windows Secure Boot certificate expiration and CA updates
• Windows devices for home users, businesses, and schools with Microsoft-managed updates