How to install the 2023 Secure Boot certificates on Windows 11 (and 10) before the 2026 expiration

Your Windows 11 PC could face problems if Secure Boot certificates expire. Learn how to check and install the 2023 certificates manually.

Avatar for Mauro Huculak
By (@Pureinfotech) , Windows How-To Expert and IT Specialist with 22 years of experience.
Secure Boot certs 2023 update
Secure Boot certs 2023 update / Image: Mauro Huculak & Gemini
  • Windows 11 (and 10) Secure Boot certificates from 2011 expire in June 2026.
  • PCs manufactured in 2024 and later typically include the 2023 certificates. Older systems may need manual updates.
  • These instructions help you to check certificate details and manually install 2023 certificates.

On Windows 11 and Windows 10, Microsoft is gradually validating and updating Secure Boot certificates through standard system updates. In most cases, you only need to keep up with the monthly security updates to ensure your device is ready before the June 2026 deadline.

However, if you want to verify or apply the newer 2023 Secure Boot certificates yourself, you can complete the process manually. This guide walks you through the steps.

Secure Boot is a firmware-level security feature built into the Unified Extensible Firmware Interface (UEFI). It ensures that a device starts only with software digitally signed and trusted by approved certificate authorities. By validating bootloaders and firmware components before the operating system loads, Secure Boot helps prevent rootkits and other low-level malware from compromising the startup process.

To enforce this protection, Secure Boot relies on cryptographic keys known as certificate authorities (CAs). These keys establish a chain of trust between the firmware and the operating system, blocking unsigned or tampered code during early boot.

Related
How to check if your PC has the updated Secure Boot certificates on Windows 11, 10
How to check if your PC has the updated Secure Boot certificates on Windows 11, 10

Similar to all digital certificates, Secure Boot certificate authorities have expiration dates. The original 2011 certificates expire in June 2026. Systems must have the updated 2023 certificates installed before that date to avoid trust validation errors, boot issues, or potential interruptions in receiving future updates.

Computers manufactured in 2024 or later typically ship with the 2023 certificates already in place. For older hardware, Microsoft is delivering the updated certificates through Windows Update as part of ongoing security maintenance, but you can also install and replace the new certificates manually.

In this guide, I’ll outline the easy steps to check and manually update the Secure Boot certificates on your Windows 11 device.

Important: Although this is a non-destructive process, it’s still recommended that you make a full backup of your computer before proceeding. You’ve been warned.

Install the 2023 Secure Boot certificates on Windows 11

If BitLocker is active, you must disable the encryption temporarily in PowerShell (Suspend-BitLocker -MountPoint "C:" -RebootCount 2) before the firmware can successfully write the new keys to the device. Also, before proceeding, make sure your computer is fully updated to the February 2026 Security Update (KB5077181) or later.

To update the Secure Boot certificates before expiring in 2026, follow these steps:

  1. Open Start.

  2. Search for PowerShell (or Terminal), right-click the top result, and choose the Run as administrator option.

  3. Type this command to confirm the device is using UEFI with Secure Boot enabled and Enter:

    Confirm-SecureBootUEFI
    Quick note: If the output is “True,” you can proceed with the steps below. Otherwise, you’ll have to enable Secure Boot. If you’re on Windows 10, you may even have to switch from the legacy BIOS to UEFI.

  4. Type this command to check the Secure Boot certificates’ expiration date and press Enter

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

    PowerShell check Secure Boot cert expiration

  5. (Output 1) If the output is “True,” you have the new certificate (valid until 2053). Stop and don’t continue.

  6. (Output 2) If the output is“False,” you are likely still on the 2011 certificate (expiring in 2026). Continue with the steps below.

  7. Type this command to set the Registry key to deploy all required certificates and press Enter

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

  8. Type this command to trigger the certificate changes manually and press Enter:

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    PowerShell updates Secure Boot cert

  9. Restart the computer one time.

  10. Reboot the device a second time, and continue with the process to check the certificates.

    Quick note: The update typically requires two reboots to fully apply. After the first reboot, the system updates the boot manager. After the second, it finalizes the certificate enrollment in the UEFI database.

  11. Open Start.

  12. Search for PowerShell (or Terminal), right-click the top result, and choose the Run as administrator option.

  13. Type this command to check if the update completed successfully and press Enter

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Once you complete the steps, if the output is “True,” you have the new certificates (valid until 2053) installed successfully on your computer. If the output is “False,” the certificates didn’t install correctly.

Get the Pureinfotech Newsletter

All the latest guides and news delivered in your inbox

It’s important to note that “True” confirms enrollment of the 2023 certificate authority, but it does not remove the 2011 certificate immediately in all scenarios. Some systems may temporarily show both.

If the output remains “False” after the process, check Event Viewer > Applications and Services Logs > Microsoft > Windows > SecureBoot-Update for errors. Also, confirm the scheduled task exists by running the Get-ScheduledTask -TaskName "Secure-Boot-Update" command.

After the update, if you had to disable BitLocker, you can resume encryption by running the Resume-BitLocker -MountPoint "C:" command, even though -RebootCount 2 automatically resumes after two restarts.

One thing to note is that the 2023 Secure Boot certificates don’t come from thin air. Microsoft includes the new certificates in Windows servicing updates, usually as part of a cumulative update or security update for Windows 11 and supported Windows 10 devices. 

Actually, the company has been including the new Secure Boot certificates since the release of the February 2026 Security Update (and higher releases).

These certificates, known as Windows UEFI CA 2023, are digitally signed by Microsoft and trusted by Secure Boot.

If the certificates are already on your computer, these instructions will help you apply them immediately without waiting for the system to process the update automatically.

About the author
Avatar for Mauro Huculak

Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.

Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.

Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.

You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].