When Microsoft first implemented Secure Download feature on Windows computers 2011potential problems with related certificates expiring seemed a distant problem.
The future is here in 15 years and countless Secure Boot certificates will expire June 2026.
Article continues below
What is Secure Boot and why is it on my Windows PC?
Secure Boot is a key Windows security feature that protects your PC from vulnerabilities that target the boot phase.
Secure Boot is a prerequisite for installing Windows 11, but that doesn’t mean your PC will stop working without it.
👉 How to enable Secure Boot on PC to install Windows 11
However, the lack of Secure Boot means that your computer will not have as much protection as it should. In addition, the lack of Secure Boot can interfere with other security measures, e.g TPM 2.0.
Secure Boot is now available since 2011and the vast majority of computers sold since then (Including those running Windows 10) feature and associated certifications.
Microsoft has updated Secure Boot with a new one UEFI CA 2023 certificates 2023but this means that most computers sold after that will already have the updated version.
Everything else, well, problems can arise when the original certificates expire June 2026.
TL;DR: Secure Boot protects your computer from vulnerabilities during the boot process. Special certifications are required to function properly.
How do Microsoft and its OEM partners deal with expired Secure Boot certificates?
Microsoft realizes it has a potentially huge challenge on its hands, but it’s taking proactive steps to ensure the transition is as smooth as possible.
This is officially reported by the company state-of-the-art computers It will work with Windows 11 automatically accept new certificates via Windows Updateas you would normally update your system.
However, some will Great PCs that require an OEM-released firmware update. These will, in most cases, be found here dedicated OEM support sites.
How far back a particular OEM decides to go remains to be seen. PC brands generally don’t offer meaningful support for systems they sold a decade or more ago; in many cases, the support drops after five years.
TL;DR: In some cases, OEMs may need to deliver specific firmware updates for systems to receive new Secure Boot certifications.
Unsupported versions of Windows will not receive new Secure Boot certificates
Microsoft has made it clear that it will not issue updated Secure Boot certificates for unsupported versions of Windows. Your computer won’t suddenly stop working, but it won’t be as secure as it should be.
Here’s Microsoft’s official statement:
It is important to note that devices running unsupported versions (except those enrolled in Extended Security Updates, Windows 10 and older) do not receive Windows updates and will not receive new certificates. We continue to encourage customers to always use a supported version of Windows for best performance and protection.
Microsoft
Compromised security is not the only risk associated with not having Secure Boot certificates.
Because of how unique this feature is to Windows, usage time may also cause some time-related driver and software failures. Basically, if you don’t have a PC that can run Windows 11, you’re out of luck.
👉 The best Windows laptops in 2026
TL;DR: If your computer is no longer officially supported by Microsoft (including Windows 10 without ESU), it will not receive new Secure Boot certificates.
No Windows 10 Extended Security Update (ESU) registration? No new Secure Boot certificates.
When Microsoft sent Windows 10 to the graveyard in October 2024did so with a caveat: you can Sign up for the Extended Security Update (ESU). program to receive an additional year of support.
This is an important differentiator in the Secure Boot certificate dilemma, as Windows 10 computers enrolled in the ESU program must receive updated certificates through Windows Update.
Windows 10 computers Those not enrolled in ESU are not expected to receive new certificates.
The good news? You can still enroll your Windows 10 PC in the ESU program14 October till one day before the cut off date.
👉 How to use Windows 10 ESU to get updates after October 2025
To ensure that a computer enrolled in the program receives an updated Secure Boot certificate, I recommend to register now (or at least as soon as possible).
How to check if your Windows PC is using an updated Secure Boot certificate
There is a fairly simple way to do this check if your computer is currently using the new Secure Boot certificates (credit BrenTech on YouTube for the easy method).
- Kind PowerShell Enter in the Windows search bar.
- press Run as administrator.
- Copy and paste the following command as shown:
((System.Text.Encoding)::ASCII.GetString((Get-SecureBootUEFI db).byte) -matches ‘Windows UEFI CA 2023’)
Shoot Enter it to place the order and you a It is true or A lie its value appears below it.
If he reads It is trueyour computer already has new Secure Boot certificates. If he reads A lieyour computer is still using the old Secure Boot certificates that will expire in June.
If your Windows 11 or Windows 10 (ESU) computer does not have the latest Secure Boot certificates, I recommend checking for pending Windows Updates. If it’s an older system, you may want to start looking for OEM software solutions.
I will remind you of this again It won’t suddenly stop working if your computer doesn’t have the latest certificates. However, it will lower security and may start behaving in unexpected ways.
Forcing new Secure Boot certificates in Windows 11 without a firmware update
Horse Microsoft Learning Centerapparently there is an interesting procedure that allows you to fix firmware problems without manually touching the BIOS.
Even if existing Secure Boot certificates have expired or are not yet applied, cumulative updates containing the new 2023 Secure Boot certificates can still be installed and Windows can write the updated certificates to the software by following the published deployment guide. This applies to devices that can boot Windows and install updates.
Microsoft
This one AI-created help answer, but one answer says it works as advertised.
To give it a shot, you it must be a version of Windows 11 with the Secure Boot changes installed first. An example of the July 2025 service update is provided.
After confirming this, follow these steps:
- Get started Team request as Administrator.
- Copy and paste enter this code Order of command and hit Enter it:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”
After the task is completed, you need to restart your computer several times. You can then check if the new Secure Boot certificates were installed correctly with my previous PowerShell tutorial above.
Microsoft’s previous e-waste fiasco is still being dealt with by the Windows 10 drop
Many Windows users are still dealing with failure Windows 10 End of Life (EOL) process Started on October 14, 2025.
According to some estimates, he It left behind 400 million PCs that couldn’t upgrade to Windows 11with only an interim ESU update for who knows how many others.
Now, with Secure Boot certificates expiring, there’s another guillotine that keeps loyal users running longer than normal on the screens of older computers.
Worried about your computer’s Secure Boot certificate expiring? How old is the system and are you considering upgrading to something new? Will you continue to use your old computer without a proper Secure Boot certificate? Let me know in the comment section below!
Join us Reddit at r/WindowsCentral to share your thoughts and discuss our latest news, reviews and more.
