- Microsoft is phasing out Secure Boot 2011 certificates across Windows 11 (and 10) devices in stages through 2026.
- OEMs like Dell, HP, ASUS, Lenovo, and others have published official guides for BIOS and firmware updates.
- The majority of supported devices have already received updates automatically through Windows Update.
- No action is required for most users unless firmware updates are pending from the PC manufacturer.
Computer manufacturers are now telling users exactly what to expect after Microsoft’s long-planned Secure Boot certificate expiration enters its first phase. Since the original 2011 security certificates are now expiring in stages, companies including HP, Dell, ASUS, Lenovo, Acer, MSI, Samsung, LG, and Microsoft have released specific guidance to help customers confirm their computers are protected.
For most people, the good news is that nothing dramatic happened when the deadline passed. If your computer is supported and you’ve kept Windows Update enabled, there’s a good chance the transition already happened in the background.
Why you’re seeing new Secure Boot guidance
The recent Secure Boot certificate expirations don’t mean Windows 11 will suddenly stop working. Instead, they mark the retirement of security certificates that have protected the device startup process since 2011.
Secure Boot is a security feature built into your PC’s UEFI firmware. Every time you turn on your computer, it checks that Windows and other boot files haven’t been changed by malware before the operating system starts. It does this by relying on trusted security certificates stored in the firmware.
Microsoft has been replacing the old 2011 certificates with new 2023 versions through Windows Update. However, the process also requires BIOS support from your computer manufacturer. That’s why companies like ASUS, Dell, HP, Lenovo, and others have published guides explaining which computers are supported, whether a BIOS update is required, and how to verify the new certificates are installed.
Although most supported devices have already received the update automatically, checking your Secure Boot state is still a good idea. Over the course of 2026, installing the new certificates ensures your computer can continue to receive future Secure Boot protections.
Secure Boot certificates expiring in 2026
Computers rely on Secure Boot certificates stored in firmware to verify the integrity of the boot process before the operating system loads. These 2011 certificates are now being replaced with newer 2023 versions through Windows Update and OEM BIOS updates.
- Microsoft Corporation KEK CA 2011: Expires June 24, 2026. Replaced by Microsoft Corporation KEK 2K CA 2023. Stored in KEK (Key Enrollment Key). Purpose: Authorizes updates to Secure Boot databases (DB and DBX).
- Microsoft Windows Production PCA 2011: Expires October 19, 2026. Replaced by Windows UEFI CA 2023. Stored in DB (Signature Database). Purpose: Signs the Windows boot loader.
- Microsoft UEFI CA 2011: Expires June 27, 2026. Replaced by Microsoft UEFI CA 2023. Stored in DB. Purpose: Signs third-party boot loaders and EFI applications.
- Microsoft UEFI CA 2011 (Option ROM signing): Expires June 27, 2026. Replaced by Microsoft Option ROM UEFI CA 2023. Stored in DB. Purpose: Signs third-party option ROM firmware.
Most PCs update automatically
The good news is that most people don’t have to do anything. If your computer is supported and you’ve been installing system updates, there’s a good chance the new Secure Boot certificates are already installed.
Unlike previous firmware updates that often required manually downloading and flashing a BIOS update, Microsoft designed this rollout to happen mostly through Windows Update. Some PCs still need a BIOS update from the manufacturer first, but the operating system handles the certificate installation automatically once the firmware is ready.
Now, don’t be surprised if your computer restarts more than once after installing recent updates. The certificate update is applied in stages, and multiple reboots are part of the process. You may also notice a new SecureBoot folder on the system drive. This is expected and isn’t a sign that something went wrong.
How to check your PC
Windows 11 now makes the process much easier than it used to be. Open Windows Security, select “Device Security,” and look for the Secure Boot section.
If you see a green check mark, the 2023 certificates are installed, and no further action is required.
A yellow warning usually means Windows is waiting for a compatible firmware update or hasn’t finished applying the certificates yet.
A red indicator points to a firmware issue that requires attention.
If the Secure Boot section doesn’t appear at all, Secure Boot may be disabled, or Windows may have been installed on unsupported hardware using installation bypasses.
Windows 10 users aren’t excluded from these improvements. Microsoft’s May 2026 update added the same Secure Boot status indicators to Windows Security, giving both Windows 10 and Windows 11 users a consistent way to verify their systems.
Official OEM Secure Boot guides
If your computer still shows a yellow or red warning in the Windows Security app, or you simply want to verify that your device has received the new 2023 Secure Boot certificates, check your manufacturer’s official support page (via Windows Latest).
The bigger picture
The Secure Boot certificate transition is also a reminder that the operating system’s security depends on more than just monthly updates. Some protections start before Windows even loads, which means Microsoft and hardware manufacturers must work together to keep those security features up to date.
Has your PC already updated Secure Boot certificates?
Voting closes: July 6, 2026 1:00 pm
The good news is that this rollout has been far less disruptive than many expected. Although the certificate expiration sounded alarming, most supported Windows 10 and Windows 11 devices have already received the new certificates through Windows Update or will receive them automatically once the required BIOS update is installed.
If your computer is still supported, simply keep Windows Update enabled, install any available firmware updates from your PC manufacturer, and check Windows Security to confirm everything is up to date. For most users, there is nothing else to do.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 23 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].
