Table of Contents
On June 27, 2026 — just three months away — cryptographic certificates embedded in hundreds of millions of Windows PCs will start to expire. These are not obscure system files you can safely ignore. They are the backbone of Windows Secure Boot, the security layer that verifies your PC has not been tampered with before the operating system even loads.
The Windows Secure Boot certificate expiry 2026 will not immediately stop your PC from booting. But it will leave your machine unable to receive critical boot-level security updates — making it vulnerable to some of the most dangerous malware in existence, including the BlackLotus UEFI bootkit that can disable Windows Defender before your OS starts.
In this guide, you will learn exactly which certificates are affected, whether your PC is at risk, and the precise steps to check your current status and install the replacement certificates — in many cases in under five minutes.
What Is Expiring and Why It Matters
Microsoft issued three core Secure Boot certificates in 2011, when UEFI Secure Boot became the standard for Windows PCs. After 15 years, all three are reaching their cryptographic expiry dates in quick succession:
| Certificate | Expiry Date |
|---|---|
| Microsoft Corporation KEK CA 2011 | June 2026 |
| Microsoft Corporation UEFI CA 2011 | June 2026 |
| Microsoft Windows Production PCA 2011 | October 2026 |
Secure Boot uses these certificates to verify that every piece of software running before Windows loads — bootloaders, firmware drivers — comes from a trusted source. When a certificate expires, the PC can no longer use it to validate new security updates for that critical startup process.
Microsoft officially describes the post-expiry state as a “degraded security state.” Your machine will continue to operate normally, but it will be frozen at whatever boot-level security it had at the moment of expiry. Future security patches for the startup process will simply stop applying — meaning every new firmware vulnerability discovered after June 2026 will go unpatched on affected systems.
Boot-level attacks are among the hardest to detect and remove. Standard antivirus tools cannot see malware that loads before the operating system. Infection can persist even after a full Windows reinstall if the firmware itself is compromised.
Which Windows PCs Are Most at Risk?
Not every user faces the same level of exposure. The impact depends on your hardware age, operating system version, and whether your PC manufacturer still provides firmware updates. Most PCs manufactured since 2024 already ship with the updated Windows UEFI CA 2023 certificates and require no action at all.
These groups face the greatest risk:
- Windows 10 users: Microsoft ended Windows 10 support in October 2025. Without ongoing support, these devices receive no Windows updates — including the new Secure Boot certificates. This is the single highest-risk group.
- Owners of PCs older than five or six years: Manufacturers may have discontinued firmware updates for aging hardware, leaving no supported path to the 2023 certificates.
- Enterprise IT teams: Organizations managing large fleets of mixed-age hardware need a coordinated update plan before the June 2026 deadline.
- Virtual machine environments: VMs running on older hypervisors may also lose the ability to receive Secure Boot updates after the certificates expire.
The security stakes are concrete. Expired certificates open the door to the BlackLotus UEFI bootkit (CVE-2023-24932) — the first firmware-level malware confirmed to bypass Secure Boot on fully patched Windows 11 systems. Once active, BlackLotus can disable BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender, all before your operating system starts. Standard antivirus software cannot detect it. The new 2023 certificates are specifically designed to close this attack vector.
For more practical Windows and security guides, browse the How-to section on Hubkub, which covers step-by-step walkthroughs for both home users and IT professionals.
How to Check and Update Your Secure Boot Certificates
Before taking any action, confirm whether your system already carries the updated 2023 certificates or is still relying on the expiring 2011 versions. Then follow the appropriate update path for your situation.
Step 1: Confirm Your Secure Boot Certificate Status
Use one of these three methods to check your current certificate status:
Via Registry Editor: Press Win + R, type regedit, and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureboot. Look for the UEFICA2023Status value. If it reads “updated,” your system is already protected. If it shows “not started,” you need to act before June 2026.
Via PowerShell: Open PowerShell as Administrator and run Confirm-SecureBootUEFI. A result of True confirms Secure Boot is active. A non-zero value in the AvailableUpdates registry key confirms your device is eligible for the certificate update.
Via Windows Security: Go to Start > Settings > Privacy & Security > Windows Security > Device Security. Confirm that Secure Boot is shown as On under “Device security.”
Step 2: Update Your PC Manufacturer’s Firmware First
Before installing new certificates, visit your PC manufacturer’s support site and install any available BIOS or UEFI firmware updates. Dell, HP, Lenovo, and ASUS have all released firmware updates to support the 2023 certificate transition. Applying OEM firmware before the certificate update is critical — skipping this step can cause compatibility issues or, in rare cases, boot failures.
Step 3: Install the New Certificates
For home users (recommended method): Go to Settings > Windows Update and install all available updates. Microsoft is rolling out the 2023 certificate activation through monthly cumulative updates for all supported devices. Enabling automatic updates is the simplest and safest path.
For advanced users — manual activation: Microsoft added the Windows UEFI CA 2023 certificates to all PCs with the Windows 11 February 2024 cumulative update but did not activate them automatically. If your device received any update after that point, the certificates are already present and waiting. Open PowerShell as Administrator and run these two commands in sequence:
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /fStart-ScheduledTask -TaskName "MicrosoftWindowsPISecure-Boot-Update"The 0x5944 bitmask triggers six security instructions that prepare your device. The scheduled task then activates them. Restart your PC afterward, then re-check UEFICA2023Status in the registry to confirm the update succeeded.
For Windows 10 users: You will not receive the new certificates through Windows Update after end-of-life. Upgrading to Windows 11 is the recommended path if your hardware is compatible. Full technical guidance, including IT administrator tools and managed deployment options, is available on the Microsoft Secure Boot Certificate Updates support page.
Common Questions — — Windows Secure Boot Certificate Expiry 2026
Q: Will my PC stop booting when the Secure Boot certificates expire in June 2026?
A: No, your PC will not suddenly stop booting on June 27, 2026. However, it will enter what Microsoft calls a “degraded security state.” It will no longer receive future security updates for boot-level components, increasing vulnerability to firmware malware like BlackLotus, which operates before the OS loads and is invisible to antivirus software.
Q: How do I know if my PC already has the updated 2023 Secure Boot certificates?
A: Check the UEFICA2023Status registry key at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureboot. If it reads “updated,” you are already protected. Most PCs manufactured after 2024 already ship with the 2023 certificates installed and require no further action.
Q: Does the Secure Boot certificate expiry affect Windows 10 users?
A: Yes, Windows 10 users are among the highest-risk group. Microsoft ended Windows 10 support in October 2025, meaning these devices no longer receive Windows updates — including the critical Secure Boot certificate replacements. Upgrading to Windows 11 is strongly recommended if your hardware supports it.
Q: What is the BlackLotus UEFI bootkit and how does it relate to this issue?
A: BlackLotus, tracked as CVE-2023-24932, is firmware-level malware discovered in 2023 and the first UEFI bootkit to bypass Secure Boot on fully updated Windows 11 systems. It can disable BitLocker, Windows Defender, and Hypervisor-Protected Code Integrity before the OS loads, making it undetectable by standard antivirus tools. The new 2023 Secure Boot certificates are specifically designed to block BlackLotus and similar threats.
Conclusion
The Windows Secure Boot certificate expiry in June 2026 is a real but manageable security deadline. Three key takeaways: your PC will not brick on June 27, but every day after without updated certificates increases your exposure to boot-level attacks that antivirus software cannot detect. Most Windows 11 users can resolve this in minutes through Windows Update or two PowerShell commands after a firmware update from their PC manufacturer. Windows 10 users and owners of older hardware face the highest risk and should act now — either by upgrading to Windows 11 or installing available firmware updates immediately.
Stay ahead of the latest threats with our cybersecurity coverage, and explore more practical Windows guides in the How-to section on Hubkub.
See also: How-To Guides: Practical Technology Tutorials for 2026 — browse all How-to articles on Hubkub.
Related Articles
- How to Run Local AI Models on Your PC: A Step-by-Step Guide
- How to Run Local AI Models Free with Ollama: 2026 Guide
- Run AI Models Locally With Ollama: 2026 Step-by-Step Guide
Last Updated: April 13, 2026
