Share via

Windows Secure Boot certificates expiring in 2026

Dietmar Schoder 0 Reputation points
2026-06-09T09:28:49.6566667+00:00

Windows Secure Boot certificates expiring in 2026

Windows for home | Windows 11 | Security and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. DaveM121 894.3K Reputation points Independent Advisor
    2026-06-09T10:01:38.1133333+00:00

    Microsoft only started releasing the new Secure Boot Certificate udpates in the May update, they indicate most of the certificates will be updated in the June update this month.

    1

    Open the Settings App.

    Go to Windows updates - Update History.

    Scroll down to the 'Other Updates' section.

    Do you see the 'Secure Boot Allowed Signature Database (DB)' update listed there?

    2

    Click your Start Button, then just type powershell, then right click PowerShell and select 'Run as Administrator'

    Paste this command into PowerShell and press Enter.

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes) -match 'Windows UEFI CA 2023')

    What is returned from that command, is it True or False?

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-09T09:29:04.0066667+00:00

    Windows Secure Boot certificates that were originally issued in 2011 begin expiring starting in June 2026. To maintain full Secure Boot protection, Windows devices are being updated with a new set of 2023 Secure Boot certificates.

    For home Windows 11 devices, the key points are:

    1. What happens when the old certificates expire
    • Devices that do not get the newer 2023 certificates will still boot and run Windows normally.
    • Regular Windows updates will continue to install.
    • However, these devices will no longer be able to receive new security protections for the early boot process, such as:
      • Updates to Windows Boot Manager
      • Updates to Secure Boot databases and revocation lists
      • Mitigations for newly discovered boot-level vulnerabilities
    • Over time, this reduces protection against emerging threats that target the boot process and may affect scenarios that rely on Secure Boot trust (for example, some BitLocker hardening configurations or third‑party bootloaders).
    1. How devices will be updated
    • Most Windows devices, including Windows 11 home PCs, will receive the updated 2023 Secure Boot certificates automatically through Windows Update.
    • Some systems might also require firmware (UEFI/BIOS) updates from the device manufacturer (OEM). Many OEMs are providing such firmware updates where needed.
    1. What to do as a home user
    • Keep Windows Update turned on and install available updates so the new Secure Boot certificates can be applied.
    • Check for and install any firmware/UEFI updates offered by the PC or motherboard manufacturer, especially if they mention Secure Boot or security updates.
    • Keeping both Windows and firmware current helps ensure the device continues to receive the full set of Secure Boot protections after 2026.

    More detailed guidance and background are provided in the Secure Boot certificate expiration documentation.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.