Microsoft has started rolling out replacements for expiring Secure Boot certificates on eligible Windows 11 systems running versions 24H2 and 25H2, according to a report from BleepingComputer. Secure Boot is a core security feature built into a system’s UEFI/BIOS that helps prevent malicious software from loading during startup by verifying digital signatures against trusted certificates stored on the device.
Microsoft previously warned in November that the Secure Boot certificates used by most Windows devices currently in circulation are set to expire in June 2026. If these certificates are not updated in time, systems could face serious issues, including the inability to trust new boot loaders or receive future security updates. This is particularly critical for IT administrators managing fleets of PCs, where unaddressed certificate expirations could compromise both security and long-term maintainability.
According to Microsoft, devices manufactured before 2024 are the most affected, as newer PCs already ship with updated certificates. In addition, only systems that actually boot with Secure Boot enabled are at risk. Users can easily check this by pressing Win + R, entering msinfo32, and looking at the Secure Boot Status field. If it reads “On,” Secure Boot is active and the system falls within the affected group.
To verify which Secure Boot certificates are currently installed, users can open Windows PowerShell with administrative privileges and run the following command:[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
Ideally, the output should include at least one certificate dated 2023, such as MicrosoftUEFICertificateAuthority_2023.cer. Users can also append -match 'Windows UEFI CA 2023' to quickly confirm whether the correct certificate is present.
If only older certificates are found, problems are likely to surface once the June 2026 expiration date arrives. In that case, Microsoft recommends installing the latest Windows quality updates, as these updates deliver the new certificates in stages. The rollout relies on “successful update signals,” meaning systems must be up to date and allowed to send diagnostic data back to Microsoft for the process to complete smoothly.
If updates fail to resolve the issue, users can manually check the registry atHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
The value WindowsUEFICA2023Capable should not be set to 0. If it is, the updated certificate is not available on that system. Enterprise environments also have alternative deployment options using special registry keys or the Windows Configuration System (WinCS), as detailed in Microsoft’s official documentation.