Microsoft replaces expiring Secure Boot certificates on Windows 11 – All details and how to update yours

Secure Boot certificates expire in June 2026, and here's how to check, update, and secure your computer to avoid boot or security issues.

Avatar for Mauro Huculak
By (@Pureinfotech) , Windows How-To Expert and IT Specialist with 22 years of experience.
Secure Boot cert expiration update
Secure Boot cert expiration update / Image: Mauro Huculak
  • Secure Boot prevents low-level malware from compromising the Windows 11 startup process.
  • Microsoft’s original 2011 Secure Boot certificates expire in June 2026, and new 2023 certificates extend protection to 2053.
  • Devices purchased in 2024 and later likely already have the latest certificates. Others are receiving them gradually through Windows Update.
  • You can check your certificate status using PowerShell, and manually update certificates using Registry tweaks and scheduled tasks if updates haven’t arrived automatically.

The certificate for your PC’s Secure Boot module is expiring in June 2026. Starting with the January 2026 Security Update, Microsoft has begun a gradual rollout of a new certificate that will allow your computer to continue booting correctly and receive security updates.

On Windows 11, Secure Boot is a security feature available in the Unified Extensible Firmware Interface (UEFI) firmware that prevents unauthorized modifications to critical system files during startup. As a result, it ensures that a device boots using only software trusted by the manufacturer.

In other words, Secure Boot helps protect your devices against low-level malware (such as bootkits and rootkits) that can infect the boot process and gain control of your computer before the operating system and your antivirus software even load.

Understand Secure Boot certificates

As part of the process, the feature uses cryptographic keys (known as certificate authorities (CAs)) to validate that firmware modules come from a trusted source, helping prevent malware from running during the early stages of the device startup.

Now, Secure Boot certificates have always had expiration dates, as they help ensure your computer continues to receive security updates and boots correctly. That is why you have to install the 2023 certificates before the 2011 CAs start expiring in June of 2026.

If you have a device purchased in 2024 (or later), chances are that the latest certificates are already installed. However, for the rest of the computers, Microsoft is now in the process of rolling out the new Secure Boot certificates through Windows Update.

In the “2026-01 Security Update (KB5074109) (26200.7623)” rolled out on January 13, 2026, the software giant has noted that updates now include a subset of high-confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment.​​​​​​​

This means you don’t have to take any manual steps to update Secure Boot, other than allowing the system to keep receiving updates. At least from now until the June 2026 Security Update becomes available.

Check Secure Boot certificate expiration date

Since you won’t receive a notification that your computer now includes the latest certificate authorities, it’s important to check whether your device still needs an update.

Windows 11 has no native command to display the human-readable firmware expiration date. However, you can check if you have the “updated” 2023 certificates (which replace the ones expiring in 2026) using these steps:

Open PowerShell (admin) and run:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
  • True: You have the new certificate (valid until 2053).
  • False: You are likely still on the 2011 certificate (expiring in 2026).
PowerShell check Secure Boot cert expiration
PowerShell check Secure Boot cert expiration / Image: Mauro Huculak

Almost all modern Secure Boot chains rely on Microsoft’s 2011 certificates, which have the following expiration dates:

  • Microsoft Corporation KEK CA 2011 (June 24, 2026). 
  • Microsoft Corporation UEFI CA 2011 (June 27, 2026).
  • Microsoft Option ROM UEFI CA 2011 (June 27, 2026).
  • Microsoft Windows Production PCA 2011 (October 19, 2026).

For reference, this is what each cerficate do:

  • KEK certificate: Trust anchor that allows updating Secure Boot signature databases (DB/DBX).
  • UEFI CA certificates: Trust the signatures of bootloaders and firmware components (including third-party EFI applications).
  • Option ROM CA: Trusts firmware option ROM modules.
  • Microsoft Windows Production PCA 2011: Ensures that the Windows bootloader and related binaries are trusted by the firmware under Secure Boot.

Update Secure Boot certificates on Windows 11

If your certificates are nearing expiration, Microsoft and your computer manufacturer (OEM) will automatically push firmware updates or “DBX” updates through Windows Update or system updates to enroll the new 2023 CA certificates. However, you can manually update your Secure Boot.

Warning: Before proceeding, ensure you have a BitLocker recovery key saved and your BIOS (UEFI) is up to date. If your computer’s firmware does not support the new certificates, your computer may fail to boot after the update. It’s also recommended to create a full backup of your computer before proceeding.

Open PowerShell (admin) and run:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

This command sets the registry key that instructs the operating system to deploy all required certificates (including the PCA 2023-signed boot manager).

The value 0x5944 is the “full mitigation” code that enables all relevant certificate updates.

Windows 11 has a built-in task that processes these certificate changes, and you can trigger it manually to avoid waiting 12 hours with the following command:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
PowerShell updates Secure Boot cert
PowerShell updates Secure Boot cert / Image: Mauro Huculak

The update typically requires two reboots to fully apply. After the first reboot, the system updates the boot manager. After the second, it finalizes the certificate enrollment in the UEFI database.

After your reboots, you can verify whether “UEFI CA 2023” is now present in your database by running this PowerShell command (as admin):

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
  • True: Your system is now secured with the new certificates.
  • False: If it remains false after several reboots, the motherboard firmware may be too old to accept the new certificate format. Check your manufacturer’s website for a “Secure Boot” related BIOS update.

If BitLocker is active, you may need to disable the encryption temporarily (Suspend-BitLocker -MountPoint "C:" -RebootCount 2) before the firmware can successfully write the new keys to the device.

About the author
Avatar for Mauro Huculak

Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.

Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.

Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.

You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].