How to check if your PC has the updated Secure Boot certificates on Windows 11, 10

Microsoft’s 2011 Secure Boot certificates expire in June 2026.
The new Windows UEFI CA 2023 certificates extend protection through 2053.
Devices purchased in 2024 or later typically already include the updated certificates.
Older PCs receive the update gradually through Windows Update.
You can verify certificate status using a PowerShell command.

On some Windows 11 and Windows 10 devices, the Secure Boot certificates first issued in 2011 are scheduled to expire in June 2026. Although Microsoft is actively replacing them with 2023 certificates, you should verify that your system has already transitioned to the newer certificates to prevent startup or security disruptions.

Secure Boot is a firmware-based protection feature in the Unified Extensible Firmware Interface (UEFI) that ensures a device loads only software digitally signed and trusted by the manufacturer. It protects the startup process by preventing unauthorized changes to critical boot components before the operating system loads.

To accomplish this, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate firmware modules and bootloaders. These certificates create a chain of trust that blocks malicious code from running during early startup.

Like all digital certificates, Secure Boot CAs have defined expiration dates. The 2011 certificates reaching the end of their validity in June 2026 means systems must have the newer 2023 certificates installed to continue receiving updates and booting normally without trust validation failures.

Because digital certificates have expiration dates, systems must install the 2023 certificates before the 2011 CAs expire in June 2026 to continue booting and receiving updates properly.

Devices purchased in 2024 or later typically already include the new certificates. For older hardware, Microsoft is distributing it through Windows Update.

Microsoft already identifies and automatically updates Secure Boot certifications through regular system updates, so no manual action is required beyond keeping Windows Update enabled and installing monthly security updates ahead of the June 2026 deadline. However, it’s always a good idea check and understand whether your device has the appropriate certificates.

In this guide, I’ll outline steps to check whether the 2023 Secure Boot certificates are already installed on your computer.

Check if your PC has the Secure Boot 2023 certificates (before June 2026)

To check if you have the “updated” 2023 Secure Boot certificates (which replace the ones expiring in 2026) using these steps:

Open Start on Windows 11.
Search for PowerShell (or Terminal), right-click the top result, and choose the Run as administrator option.

Type this command to check the Secure Boot certificates’ expiration date and press Enter:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

PowerShell check Secure Boot cert expiration

Once you complete the steps, if the output is “True,” you have the new certificate (valid until 2053). If the output is “False,” you are likely still on the 2011 certificate (expiring in 2026).

Secure Boot 2011 certificates expire in 2026 – what each certificate does

Almost all modern Secure Boot chains rely on Microsoft’s 2011 certificates, which have the following expiration dates:

Microsoft Corporation KEK CA 2011 (June 24, 2026).
Microsoft Corporation UEFI CA 2011 (June 27, 2026).
Microsoft Option ROM UEFI CA 2011 (June 27, 2026).
Microsoft Windows Production PCA 2011 (October 19, 2026).

For reference, this is what each cerficate do:

KEK certificate: Trust anchor that allows updating Secure Boot signature databases (DB/DBX).
UEFI CA certificates: Trust the signatures of bootloaders and firmware components (including third-party EFI applications).
Option ROM CA: Trusts firmware option ROM modules.
Microsoft Windows Production PCA 2011: Ensures that the Windows bootloader and related binaries are trusted by the firmware under Secure Boot.

If your certificates are nearing expiration, Microsoft and your computer manufacturer (OEM) will automatically push firmware updates or “DBX” updates through Windows Update or system updates to enroll the new 2023 CA certificates.

Why Event ID 1801 appears in Event Viewer (and why it’s not an error)

Finally, you’ll probably notice that Event ID 1801 appears for the source “TPM-WMI (Microsoft-Windows-TPM-WMI)” with the “BucketConfidenceLevel: Under Observation – More Data Needed” message.

Although it looks like an error, it is not a failure. This entry means the operating system has detected updated Secure Boot certificates but has not yet applied them to the firmware.

The device is in a staging and validation phase while Microsoft gradually rolls out the update. Because Secure Boot keys live in UEFI firmware and affect the boot chain, the transition is carefully coordinated to avoid boot issues.

In simple terms, Event ID 1801 is just a status check indicating that Windows is evaluating your device as part of the Secure Boot certificate rollout. The “Under Observation” message reflects that evaluation process. It does not indicate a TPM issue, Secure Boot corruption, or a BIOS failure. Despite being logged as an error, it is purely informational.

The Secure Boot certificate transition happens in two phases. First, Windows 11 (or 10) downloads and stages the new certificate inside the operating system. Later, after compatibility checks and validation, the certificate is written to the system firmware and activated.

Devices can remain between these two stages for a period of time, which is why TPM-WMI entries may continue to appear in Event Viewer even though nothing is wrong.