Windows Secure Boot certificate expiring soon? Check your eligibility now

When Microsoft introduced Secure Boot as a core security component for Windows PCs back in 2011, the eventual expiration of its underlying certificates felt like a distant concern. Fast forward 15 years, and that concern has arrived. In June 2026, a vast number of Secure Boot certificates are set to expire for the first time in the platform’s history.

This milestone has triggered a massive coordination effort between Microsoft and its OEM partners to ensure a seamless transition to new certificates. For the vast majority of users, the expiration will be a non-event, handled automatically in the background. However, a smaller group of PC owners will need to take some manual steps to maintain their system’s security integrity. Here is a breakdown of what is happening, why it matters, and how you can check your own PC.

Secure Boot is a fundamental security protocol that has been a pillar of Windows defense since 2011. Its primary role is to shield your PC from threats that target the boot process itself. While it is a mandatory requirement for installing Windows 11, your system won’t simply stop functioning if it is missing. The real risk is a significant drop in protection and potential conflicts with other security features, such as TPM 2.0.

Most computers sold in the last decade and a half, including those running Windows 10, already have Secure Boot and its associated certificates. Microsoft did release new UEFI CA 2023 certificates in 2023, meaning newer PCs are already equipped. The challenge lies with older hardware that still relies on the original certificates, which are now facing their June 2026 expiration.

Microsoft is well aware of the potential scale of this issue and is actively working to minimize disruption. The company states that the majority of modern Windows 11 systems will receive the new certificates automatically via a standard Windows Update. For a subset of older machines, however, a specific firmware update from the PC’s original manufacturer (OEM) will be required. These updates are typically found on the OEM’s support website. The critical question is how far back each brand will go with support. Most OEMs stop providing meaningful firmware updates for systems that are five to ten years old, meaning some very old PCs may be left without a path to the new certificates.

A clear line has been drawn for unsupported operating systems. Microsoft has confirmed that it will not distribute new Secure Boot certificates to versions of Windows that are no longer receiving updates. This includes Windows 10 systems not enrolled in the Extended Security Update (ESU) program. While these PCs will continue to boot, they will operate with reduced security. The official statement from Microsoft warns that devices on unsupported versions “do not receive Windows updates and will not receive the new certificates,” urging customers to always use a supported OS for the best protection. Beyond security, the certificate expiration could eventually cause failures in related drivers and software.

There is a crucial exception for Windows 10 users. If your PC is enrolled in the ESU program, it should receive the updated Secure Boot certificates through Windows Update. The good news is that you can still sign up for the ESU program right up until the day before the October 14, 2026 cutoff. If you have an eligible Windows 10 machine, enrolling now is strongly recommended to secure the certificate update.

You can easily check your PC’s status using a simple PowerShell command. First, open PowerShell as an Administrator. Then, copy and paste the following command and press Enter:

`([System. Text. Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)`

If the result is True, your system already has the new 2023 certificate and requires no action. If the result is False, your PC is still using the old certificate set to expire in June. For Windows 11 or Windows 10 (ESU) systems showing a False result, start by checking for pending Windows Updates. For older systems, begin searching the OEM’s website for a relevant firmware update.

If standard updates aren’t working, Microsoft has published a workaround that may allow you to install the new certificates without manually entering the BIOS. This procedure requires a version of Windows 11 that includes the Secure Boot changes, such as the July 2025 servicing update. To try this, open Command Prompt as an Administrator and run the following two commands:

`reg add HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f`

`Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”`

After the scheduled task runs, you will need to restart your PC a couple of times. You can then verify the installation by running the PowerShell command again.

This situation adds another layer to the ongoing fallout from Windows 10’s end-of-life. Millions of functional PCs that could not upgrade to Windows 11 were rendered obsolete, with only a temporary ESU lifeline for some. Now, the Secure Boot certificate expiration presents another challenge for users who have kept their older systems running. Are you concerned about this upcoming change? How old is your PC, and are you planning to upgrade or continue using it with reduced security? Share your thoughts in the comments below, and join the discussion on our Reddit community at r/WindowsCentral.