Microsoft has started rolling out new Secure Boot certificates for eligible Windows 10 and Windows 11 PCs, arriving just before older certificates began reaching their expiration dates. The update is important because Secure Boot helps protect PCs before Windows even starts, reducing the risk of malware attacking the system during startup.
The rollout replaces aging Secure Boot certificates first issued in 2011 with newer 2023 certificates. Many PCs that received the June 2026 Patch Tuesday update may already have the new certificates installed automatically, though Microsoft is using a controlled rollout based on device compatibility data.
For most people, this should happen quietly in the background. But if the update does not install correctly, a PC could lose future boot level security updates, leaving it more exposed to threats such as rootkits and bootkits.
Why Secure Boot Certificates Matter
Secure Boot is a firmware level security feature that checks whether key startup components are trusted before the operating system loads. It helps make sure that Windows starts with approved, properly signed files instead of compromised code.
This matters because some malware is designed to attack before Windows security tools can fully start. Bootkits and rootkits can hide deep in the startup chain, making them difficult to detect or remove once the system is running.
Secure Boot relies on digital certificates to decide what is trusted. The original Microsoft Secure Boot certificates from 2011 are now being replaced because they are reaching the end of their validity period.
| Certificate | Expiration Timing |
|---|---|
| Microsoft Corporation KEK CA 2011 | June 24, 2026 |
| Microsoft UEFI CA 2011 | June 27, 2026 |
| Microsoft Windows Production PCA 2011 | October 19, 2026 |
| Secure Boot 2023 certificates | New replacement certificates |
The timing made the update especially important. Without newer certificates, Windows PCs would still turn on, but they would no longer receive the same level of boot level security protection going forward.
Microsoft Is Rolling Out the Update in Stages
Microsoft says the update is being delivered only to eligible PCs after they show enough successful update signals. In simple terms, that means the company is trying to avoid pushing firmware related certificate changes to devices that may not be ready.
That careful approach makes sense because Secure Boot operates below Windows itself. A bad firmware or boot configuration problem can create serious startup issues, so Microsoft is using device targeting data to decide which machines should receive the new certificates automatically.
If your PC received the June 2026 Windows update, there is a good chance the Secure Boot certificate update has already arrived. But not every computer will receive it at the same time, especially if the device needs additional compatibility checks or a BIOS update from the manufacturer.
How to Check Whether Your PC Has the New Secure Boot Update
You can check your Secure Boot status through Windows Settings.
Open Settings, go to Privacy and security, then open Windows Security. From there, select Device Security and look for the Secure Boot section.
A green status usually means everything is working correctly and the required certificates are present. A yellow warning may mean your PC has not yet received the update or still needs compatibility data. A red warning can indicate a deeper firmware problem, often requiring a BIOS update from the PC maker.
You can also press Windows key and R, type msinfo32, and press Enter. In the System Summary window, look for Secure Boot State. It should show as On if Secure Boot is enabled.
If Secure Boot is missing from Settings, it may be disabled in firmware or may have been bypassed during Windows installation.
What You Should Do Now
Most people do not need to take any immediate action beyond keeping Windows updated. Microsoft will continue trying to install the Secure Boot 2023 certificates on eligible systems.
If you see a warning, check Windows Update first. Then visit your PC manufacturer’s support page to see whether a BIOS or firmware update is available for your model.
The update is a quiet but important maintenance step for Windows security. It will not add a visible new feature, but it helps keep the startup process protected as older certificates expire.
Discussion (0)
Be the first to comment.