A certain deadline related to the Windows Secure Boot feature is approaching in mid-2026, and it may affect you. Before Windows loads, Secure Boot verifies the system’s startup process. But to do this, it relies on cryptographic certificates, and unfortunately, a lot of these long-standing Secure Boot certificates expire in June 2026.
This means systems that don’t transition in time may be unable to accept future boot-level updates. On PCs where future firmware or security updates rely on newer Secure Boot certificates, some devices may simply not start. Microsoft has already started rolling out newer certificates, so there should be no need to panic. However, you should understand how it all works to avoid any unpleasant surprises.
What Secure Boot certificates do during Windows startup
The trust system that decides whether your PC is allowed to boot
Before Windows, drivers, and antivirus software come into play, Secure Boot does its work. Every time you turn on your computer, the system firmware uses a set of trusted certificates stored directly in UEFI firmware to verify that critical boot components, primarily the Windows Boot Manager, have been signed by a trusted authority. If the signature cannot be verified against a trusted certificate, the boot process is immediately terminated.
This verification is an important step in the chain of trust. Microsoft’s private keys sign Windows boot components, and the corresponding certificates are stored in the firmware’s DB (authorized signatures database); these certificates determine which bootloaders are trusted to run. The KEK (Key Exchange Key database) guarantees that only a trusted entity can modify allowed bootloaders by holding certificates that control who can update the DB.
The significant point is that Secure Boot certificates have expiry dates. After expiration, your PC’s firmware can’t rely on the expired certificates as a trust anchor. This is an intentional security mechanism for limiting long-term exposure to compromised or outdated signing keys.
Which certificates are expiring
The older Microsoft signing keys that Windows has relied on for over a decade
Many of the affected certificates were created in 2011 and will stop being valid at some point in 2026. Below are the phased-out and replacement certificates:
|
Expiration window |
Certificate being phased out |
Replacement certificate(s) |
What this certificate controls |
|---|---|---|---|
|
June 2026 |
Microsoft Corporation KEK CA 2011 |
Microsoft Corporation KEK CA 2023 |
Authorizes updates to Secure Boot trust databases |
|
June 2026 |
Microsoft UEFI CA 2011 |
Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 |
Allows bootloaders, drivers, and option ROMs to run |
|
October 2026 |
Microsoft Windows Production PCA 2011 |
Windows UEFI CA 2023 |
Signs the Windows boot manager and core boot components |
Since Windows 8, these three outgoing certificates have been the backbone of Secure Boot on Windows computers. Microsoft UEFI CA 2011 is replaced by two certificates to improve security granularity. While you may not expect every system that doesn’t adopt the newer certificates to suddenly fail, they may be excluded from future Secure Boot updates or protections.
You can view the current certificate on your PC by running this PowerShell command: (Get-AuthenticodeSignature “C:\Windows\Boot\EFI\bootmgfw.efi”).SignerCertificate | Format-List Subject,Issuer,NotAfter,Thumbprint
Why affected PCs may stop booting after an update
How certificate transitions and revocations can break startup trust
You probably won’t experience Secure Boot failures the day your certificates expire. However, a firmware or security update can influence what your PC is willing to trust, and in such cases, the failures may start. This behavior was observed after Microsoft’s response to the BlackLotus UEFI bootkit, which allowed malicious bootloaders to run even on systems that had enabled Secure Boot.
Microsoft’s patch for this vulnerability wasn’t enough. As a more thorough check, Microsoft began revoking vulnerable boot components. It also tightened Secure Boot requirements.
The newer 2023 certificates became fundamental for revocation and future Secure Boot protections. What this means in practical terms is that even if your PC seems to work perfectly, Secure Boot can block startup if an update requires trust in newer certificates it doesn’t have. You may be left with few recovery options at that point.
How Microsoft is transitioning PCs to newer Secure Boot certificates
Automatic updates, eligibility rules, and why some devices are skipped
Microsoft began a phased rollout, before 2026, starting with what it describes as high-confidence systems. These systems have modern firmware, a stable update history, and already have Secure Boot enabled. The eligible systems get the new certificate via Windows Updates but can only install it with cooperation from the system firmware.
Windows virtual machines (VMs) that use UEFI Secure Boot typically rely on the same trust model, and they get the certificate through the same process as physical devices. This includes VMs running on Hyper-V and Azure. Any VMs that don’t accept newer certificates would face the same fate as physical hardware.
The 2026 KB5074109 and KB5073455 Windows Updates have already started deploying these certificates. However, firmware limitations may mean that only manual actions can complete the deployment process on certain devices.
You can run this command on PowerShell, and a non-zero value for AvailableUpdates would confirm your computer is eligible to receive certificate updates: Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” | Format-List
8 ways to fix slow boot times in Windows 11 and 10
You shouldn’t be able to brew coffee while you wait for your PC to boot.
What to do now to make sure your PC still boots in 2026
There are two important things you must do now: confirm you have Secure Boot enabled and that your system firmware is updated. The Windows System Information tool can show if Secure Boot is enabled. However, any firmware update should come from your PC manufacturer or the platform managing virtual firmware.
If your system is eligible, the update typically happens quietly in the background. You should pay more attention to devices with dual-boot setups or PCs with legacy boot remnants, as they are less likely to get automatic deployment. You may have to navigate to this registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot and set the AvailableUpdates registry value to a nonzero value. You can consider using a safer editor to change registry values.
