Lead
Microsoft warns that the root Secure Boot certificates used since 2011 will expire in June 2026 (with a related set expiring in October 2026), potentially limiting future boot-level fixes and blocking installs that rely on the newer 2023 certificates. For most up-to-date Windows 11 and patched Windows 10 systems, Windows Update or vendor firmware updates will install replacements automatically. Machines that do not receive the new certificates before the deadlines will continue to run but will enter a degraded security state and may face compatibility problems later. This advisory explains how to check your PC, common failure modes, and practical remediation steps.
Key Takeaways
- The original UEFI Secure Boot certificates issued around 2011 will expire in June 2026 and another related expiration occurs in October 2026.
- Microsoft and major OEMs have pushed replacement certificates issued in 2023; many PCs built since 2024 and most devices shipped in 2025 already include them.
- Systems that receive the new certs via Windows Update or firmware will see a largely seamless transition; failure modes include full/fragmented NVRAM or buggy firmware.
- If a device misses the update, it will keep operating but lose the ability to receive new boot-level mitigations and may not boot future OS images that depend on 2023-era certificates.
- Admins and users can check certificate status with administrative PowerShell commands and verify Secure Boot state in msinfo32; specific remediation steps include firmware updates and Secure Boot key resets.
- Windows 11 systems should be on 24H2 or 25H2 to ensure support; Windows 10 may need Extended Security Updates enrollment for certificate delivery.
- Manufacturers including Dell, HP, Lenovo and Asus have published guidance and system lists; OEM firmware updates are the permanent fix for older hardware.
Background
UEFI Secure Boot was introduced during the Windows 8 development cycle around 2011 as a mechanism to verify bootloaders and prevent unsigned or tampered software from running at startup. It gradually became more than an option: Secure Boot was formally required for installing Windows 11 beginning in 2021. The mechanism works through a small chain of trust anchored in certificates stored in platform firmware and NVRAM variables.
Certificates, like other cryptographic credentials, have finite lifetimes and must be renewed periodically. Microsoft and OEMs have been preparing for this transition for months or years; a replacement certificate set was issued in 2023 and distribution has been underway through Windows Update, firmware updates and vendor tools. The purpose is both operational—ensuring future boot-level patches can be applied—and strategic, so newer hardware and OS features can rely on an updated trust root.
Main Event
Microsoft alerted customers that the 2011-era Secure Boot certificates will expire in mid-2026 and that systems not updated beforehand will enter a degraded state. According to Microsoft’s Windows Servicing team, affected devices will keep running existing software but will be unable to receive future boot-level mitigations tied to certificate trust. Over time, this increases exposure to newly discovered vulnerabilities at the firmware/boot level.
For most supported, patched systems, Windows Update is the primary delivery channel for the new certificates. On UEFI platforms, the certificates are stored either in the firmware (the default db) or in the platform NVRAM (the active db), and Windows or LVFS-enabled Linux firmware update paths can write new certificate data into those locations. OEM firmware images released since 2024 often include the 2023 certificates baked into BIOS/UEFI.
Administrators and home users can check status using administrative PowerShell. To test the active db, run: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’). To test the firmware default db, run: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match ‘Windows UEFI CA 2023’). A returned “true” indicates the new 2023 certificate is present in that store.
How to Prepare and Fix
Step one is inventory: confirm your OS version and Secure Boot state. On Windows, press Windows+R, run msinfo32 and verify Secure Boot State shows “On.” Windows 11 devices should be running 24H2 or 25H2 to ensure compatibility with Microsoft’s servicing plan; Windows 10 machines may require enrollment in the Extended Security Updates (ESU) program to receive the certificate update.
If a system reports the new certs are missing, check for OEM firmware updates—many vendors have released BIOS/UEFI updates that include the 2023 trust anchors. If firmware updates aren’t available, freeing and defragmenting NVRAM by resetting Secure Boot keys to factory defaults in the BIOS can create space for the new certificates. Note: reset procedures can trigger BitLocker recovery prompts; keep your recovery key handy.
Analysis & Implications
At a technical level, an expired boot certificate does not instantaneously brick a PC; existing code signed under the old chain will continue to run until OS installers, firmware, or new boot protections require the refreshed trust anchors. The primary risk is forward-looking: inability to receive boot-level mitigations leaves systems exposed to newly discovered vulnerabilities that can be fixed only by updating or adding trust material.
Operationally, organizations that manage fleets face a triage problem: apply firmware updates where available, ensure Windows Update policies allow the certificate payload, and prepare for manual interventions on legacy hardware. IT shops that use image management, SCCM, or other update pipelines should treat this as a security-staged change window rather than a one-off patch.
For consumers, the outcome will depend on OEM support. Newer systems are mostly covered; older devices that have reached end-of-support or carry buggy firmware may require vendor assistance, a BIOS flash, or in the worst case, hardware replacement if firmware vendors do not provide updates. The vendor lists published so far start with models from roughly 2019–2021 and newer.
Comparison & Data
| Year / Item | Relevant Detail |
|---|---|
| 2011 | Original Secure Boot certificates introduced (Windows 8 era) |
| 2023 | Replacement Secure Boot certificate set issued |
| 2024–2025 | Most new OEM hardware includes 2023 certs in firmware |
| June 2026 | Expiration date for original 2011 certificate set (first deadline) |
| October 2026 | Related certificate expiration date (second deadline) |
The table above shows the renewal timeline and where most systems currently sit: devices built in 2024–2025 generally include the update at firmware level, while older systems depend on Windows Update writing certificates into NVRAM or on OEM firmware patches.
Reactions & Quotes
“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,”
Nuno Costa, Microsoft Windows Servicing and Delivery (program manager)
Microsoft emphasizes continuity of operation while warning of increased exposure to future boot-level vulnerabilities if certificates are not updated. OEMs have issued guidance and support articles for models that require manual firmware updates or special steps.
“Many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates,”
Microsoft advisory summarized by OEM guidance
Vendors such as Dell, HP, Lenovo and Asus have published lists and update procedures; users should consult OEM pages for model-specific instructions.
Unconfirmed
- No public, vendor-verified list guarantees every model eligible for Windows 11 upgrade will receive a firmware update with the new certificates—some individual models remain uncertain.
- Reports that a minority of systems will immediately refuse to boot after June 2026 are unverified; Microsoft states existing software will continue to run until OS/firmware components demand the new certs.
Bottom Line
The certificate refresh is a scheduled, industry-wide maintenance event rather than an emergency. Most modern, supported Windows 11 machines and many updated Windows 10 systems will transition automatically via firmware updates or Windows Update. Users should still check status because systems with full/fragmented NVRAM or old firmware could miss the update and thereby lose future boot-level mitigations.
Action items: verify Secure Boot is enabled in msinfo32, run the PowerShell checks for the active and default db if you are comfortable with administrative commands, ensure your device is on a supported Windows build (Windows 11 24H2/25H2 or ESU-enrolled Windows 10 where required), and apply any OEM firmware updates. If in doubt, contact vendor support before the June 2026 deadline to avoid stepped-up risk or later compatibility problems.
Sources
- Ars Technica — news report summarizing Microsoft and OEM guidance (media)
- Microsoft: Secure Boot documentation — official Microsoft technical guidance (official)
- Dell Support — OEM firmware and model-specific guidance (vendor)