A critical deadline is fast approaching for over a billion Windows PCs, and even some Linux distributions aren’t immune. In June 2026, a significant set of security certificates that underpin your computer’s boot process will expire. This isn’t just a minor technicality; it’s a vital security measure that keeps your system safe from malicious interference right from startup.
For most of us, these vital security components operate silently in the background. However, understanding their role and ensuring they’re up-to-date is crucial for maintaining a robust and secure computing experience. Let’s delve into what this means for your PC and how you can prepare.
Secure Boot: Your PC’s Digital Gatekeeper
Every Windows PC manufactured and sold since 2011 comes equipped with a feature called Secure Boot. This powerful security mechanism acts as a digital gatekeeper, ensuring that only trusted software is allowed to load when your computer starts up. It’s a fundamental line of defense, preventing unauthorized code or malware from injecting itself into the critical boot process.
Secure Boot relies on a sophisticated chain of cryptographic certificates to verify the signature of each boot component. Key among these are the Key Exchange Key (KEK), the Microsoft-issued Production Certificate Authority (CA), and UEFI CA certificates. These certificates are embedded in your PC’s firmware and work in tandem with the Trusted Platform Module (TPM) to maintain lists of approved and forbidden bootloaders.
Why Certificates Expire and What Happens Next
Security standards evolve rapidly, and what was considered secure over a decade ago may now present vulnerabilities. The certificates installed on many PCs from 2011 are designed to expire, a normal practice to encourage updates to more modern, robust encryption methods. Microsoft, in coordination with hardware partners, issued updated 2023 certificates to address this.
When these 2011 Secure Boot certificates expire, your computer will still start and function normally. However, it will no longer be able to receive vital updates for the Windows Boot Manager, Secure Boot databases, or revocation lists. This means your PC could become vulnerable to newly discovered threats targeting the boot chain, compromising your system’s integrity and security.
It’s important to note that disabling Secure Boot, while an option, comes with its own risks. For instance, if you use BitLocker for disk encryption, you might need to supply a recovery key every time you boot, or even lose access to your encrypted data entirely. Other scenarios relying on Secure Boot, such as boot-level code integrity or third-party bootloaders, could also be affected.
Checking Your PC’s Certificate Status
The good news is that for most users, securing your PC against this expiration event is straightforward. Microsoft and its OEM partners have been working for years to roll out these updates, often seamlessly through regular Windows updates. Many newer PCs, especially those built since 2024 or Copilot+ PCs from 2025 onwards, likely already have the updated certificates.
However, it’s always wise to verify. Here’s how you can check if your system is ready:
-
Using Windows Security (Windows 11):
Open the Windows Security app, navigate to the Device Security page, and look under the “Secure boot” heading. If you see a message stating “all required certificates have been applied,” you’re all set.
-
Using PowerShell (Windows 10 & 11):
Open PowerShell with administrator credentials. Copy and paste the following command, then press Enter:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')If the response is “True,” your PC has the updated certificates. If it’s “False,” you’ll need a firmware update.
Ensuring Your System Gets the Update
For the majority of users running Windows 11 or Windows 10 with an Extended Security Updates (ESU) subscription, the necessary certificates should install automatically through the regular monthly Windows update process. This applies to PCs from major OEMs like Lenovo, HP, Dell, ASUS, and Microsoft Surface devices.
However, some systems might require a separate firmware update directly from the PC manufacturer to enable the installation of the new certificates. Many OEMs maintain status pages with specific guidance for their models, so checking their support website is a good idea if your PowerShell check comes back “False.”
If you’re using specialized computers, such as servers or IoT devices, a manual update from the device maker may be necessary. If you’ve built a custom PC or have an older motherboard, contact the motherboard manufacturer for potential updates. In rare cases where an update isn’t available, you might have to disable Secure Boot, remembering the implications for BitLocker.
The 2023 certificates are designed to last much longer, with most expiring in 2038, though the Windows UEFI CA 2023 will expire in June 2035. This means we’ll likely revisit this process in less than a decade. For now, take a moment to ensure your PC is prepared for the upcoming June 2026 deadline and continues to operate securely.
Source: ZDNet – AI
