A crucial Windows security certificate expires today - how to check your PC

Allison Robbert/For The Washington Post via Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Secure Boot protects modern Windows and Linux PCs.
• Microsoft Secure Boot certificates from 2011 expire successful June and October 2026.
• Most PC owners are good if they instal the latest updates.

Last year's end-of-support deadline for Windows 10 was a large trial for consumers and IT pros alike. Congratulations -- everyone passed! Before you commencement celebrating, though, wage attraction to different important expiration day that's arriving this week. Four important Microsoft information certificates are expiring, with the archetypal 1 expiring today, June 24, 2026.

Microsoft has been refreshingly transparent astir what it's doing to regenerate these aged certificates, with guidance for some consumers and endeavor customers. It besides added an casual mode for anyone to cheque the presumption of the certificates, utilizing the built-in Windows Security utility. (More details connected that aboriginal successful this post.) Oh, and present mightiness beryllium a truly bully clip to marque definite you person saved a transcript of your BitLocker betterment key, conscionable successful case.

This deadline is simply a small much analyzable than the Windows 10 end-of-support date. To recognize why, we request to speech astir a halfway information diagnostic recovered successful each Windows PC designed and built since 2011: Secure Boot. This feature, enabled by default connected caller PCs sold with Windows 10 and Windows 11, acts arsenic a gatekeeper, allowing lone trusted bundle to tally astatine startup. If idiosyncratic tries to tamper with the operating strategy oregon footwear from an alternate device, Secure Boot blocks that attempt.

Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11 - for free

All presently supported versions of Windows enactment Secure Boot, arsenic bash an expanding fig of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a big of others.

What's happening to Secure Boot certificates?

Secure Boot relies connected a concatenation of cryptographic certificates that verify each footwear component's signature. One of the astir important certificates is the Key Enrollment Key (KEK), which is besides sometimes called the Key Exchange Key. It sits successful the UEFI firmware connected each modern PC and works with the Trusted Platform Module (TPM) to negociate the database of trusted bootloaders, which are contained successful the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). 

The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are besides indispensable to the cognition of Secure Boot and besides request to beryllium updated.

Also: Microsoft is yet bringing the movable taskbar to Windows 11 - here's who tin effort it now

If you bought a PC successful the past 15 years, it astir surely contains Microsoft-issued KEK and UEFI CA certificates from 2011, which are slated to expire successful June 2026. To update those certificates, you request entree to the basal of spot -- the Platform Key, which is managed by the hardware OEM.

Table adapted from Windows Secure Boot certificate expiration and CA updates (Microsoft Support) 
* Note: Microsoft UEFI CA 2011 was replaced with 2 signatures, to let organizations to spot third-party enactment ROMs without having to besides spot third-party footwear loaders.

When the Secure Boot certificates expire, they are nary longer permitted to validate footwear software. That is not arsenic dire arsenic it sounds. Your machine volition inactive commencement and run normally, but it volition nary longer beryllium capable to person updates to Windows Boot Manager, Secure Boot databases and revocation lists, and fixes for recently discovered vulnerabilities successful the footwear chain. 

You tin crook disconnected Secure Boot, but doing truthful means you mightiness not beryllium capable to entree disks that are encrypted utilizing BitLocker without supplying the betterment key.

Microsoft points retired that scenarios that trust connected Secure Boot spot (such arsenic BitLocker hardening, boot-level codification integrity, oregon third-party bootloaders and Option ROMs) whitethorn besides beryllium affected if they necessitate updated Secure Boot trust.

In 2023, Microsoft issued replacements for those Secure Boot certificates. But the full constituent of the Secure Boot certificate exemplary is that those certificates are not casual to regenerate -- if they were, each malware developer successful the satellite would beryllium focusing vigor connected doing precisely that, creating malicious rootkits that tally astatine startup and can't beryllium detected easily.

Also: Microsoft patches grounds 198 Windows bugs successful June update - and 3 are zero days

To hole for this wide extinction event, Microsoft and its hardware partners person been moving for respective years, coordinating a planetary bid of updates designed to regenerate those outdated certificates with the 2023 version. Microsoft has been publishing guidance for customers for much than a year, starting successful aboriginal 2025, and documented its advancement successful a blog post earlier this year:

Our ecosystem partners play a captious relation successful the modulation to the caller Secure Boot certificates. OEMs person been provisioning updated certificates connected caller devices and galore newer PCs built since 2024, and astir each the devices shipped successful 2025 already see the certificates and necessitate nary enactment from customers. OEM partners person besides worked intimately with our engineering teams to guarantee that in-market devices tin use the updates seamlessly and person provided their ain guidance to assistance customers hole for the transition. As a effect of that concerted effort, you mightiness soon spot a firmware update that volition bring your computer's information halfway into the modern era, pushing the certificate expiration dates retired by different decennary oregon more.

For astir people, this process should beryllium unobtrusive. You mightiness already person installed the indispensable updates without realizing it. Enterprise administrators person a wide scope of tools for monitoring and deploying these updates, each of which are documented successful the Secure Boot Playbook.for Windows Client.

For this post, I've assembled a database of often asked questions, on with authoritative answers.

Why are these certificates expiring?

Fifteen years is simply a agelong time! Security standards beforehand dramatically each year, and it's mean to discontinue aged certificates and regenerate them with recently issued certificates that conscionable modern information standards alternatively of becoming a constituent of vulnerability.

Does my PC person expiring Secure Boot certificates?

If your machine was designed and built aft 2011, it includes Secure Boot certificates. Any instrumentality that was designed and built betwixt 2012 and 2024 shipped with 2011 certificates, which expire successful 2026 and indispensable beryllium replaced.

According to Microsoft, its OEM partners person been provisioning updated certificates connected caller devices since 2024. If you person a comparatively caller device, it astir apt already includes the latest certificates. Copilot+ PCs built successful 2025 oregon aboriginal already see the 2023 certificates and don't request an update.

Also: How to troubleshoot your PC problems with Copilot oregon ChatGPT - effectively

A caller Windows 11 update lets you cheque the presumption of your information certificates successful the Windows Security app. Choose the Device Security leafage and look nether the "Secure boot" heading. If you spot a connection that says "all required certificates person been applied," you're bully to go.

You tin present usage the Windows Security app to cheque the presumption of Secure Boot certificates.

Screenshot by Ed Bott/ZDNET

You tin besides usage PowerShell to cheque whether your PC has the updated certificates. Open a PowerShell model utilizing head credentials and past transcript the pursuing bid and paste it astatine the PowerShell bid line:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If the effect is True, you're up to date. If the effect is False, you request a firmware update.

Will I automatically get an updated certificate?

If your PC was designed and built by a large OEM (Lenovo, HP, Dell, ASUS, Surface), and you are moving a supported Windows version, you should person the indispensable update automatically. 

According to Microsoft, "For astir individuals and businesses that let Microsoft to negociate PC updates, the caller certificates volition beryllium installed automatically done the regular monthly Windows update process, with nary further enactment required." 

Also: Yes, you tin get Microsoft 365 escaped - here's how

Those updates volition get connected astir each PCs moving Windows 11 and connected PCs moving Windows 10 with an Extended Security Updates subscription. You mightiness request a abstracted firmware update from the PC shaper to let the updated certificates to install.

Each OEM has a presumption leafage wherever you tin cheque for updated information.

• Dell: Secure Boot Transition FAQ
• HP: Prepare for caller Windows Secure Boot certificates
• Lenovo: Secure Boot Certificate Expiration Guide (2011 to 2023)
• ASUS (PCs): Windows Secure Boot certificate expiration and certificate updates
• ASUS (motherboards):  Windows Secure Boot certificate expiration and certificate updates
• Microsoft Surface: Surface Secure Boot Certificates

A fig of these manufacturers person been shipping PCs with some sets of certificates for immoderate time, allowing endeavor customers to take erstwhile to power to the caller certificates. 

For specialized computers, specified arsenic servers and IoT devices, you mightiness request to download and instal an update from the instrumentality maker.

What happens if I don't update those certificates?

According to Microsoft, "When the 2011 CAs expire, Windows devices that bash not person caller 2023 certificates tin nary longer person information fixes for pre-boot components, compromising Windows footwear security.... Without updates, the Secure Boot-enabled Windows devices hazard not receiving information updates oregon trusting caller footwear loaders, which volition compromise some serviceability and security."

I person a Mac. Do I request to interest astir this?

No.

I person a PC moving Linux. Do I request to interest astir this?

If you're dual-booting Linux with Windows, Microsoft says it volition update the certificates that Linux relies on.

If you've wiped Windows completely, you mightiness not get the latest information updates automatically. You tin interaction the institution that built your PC to spot if there's a manual update, oregon you tin crook Secure Boot off. Aside from seeing a scary reddish padlock connected the footwear screen, everything other volition enactment arsenic expected.

I built my ain PC. Where are my updates?

Talk to the shaper of your motherboard. There mightiness beryllium an update, but depending connected your PC's age, the motherboard shaper mightiness not connection one. You tin crook disconnected Secure Boot, and Windows volition inactive commencement up. If BitLocker is enabled, you mightiness request to supply the betterment cardinal to entree the information connected that disk.

Also: How to find your BitLocker betterment cardinal - and prevention a unafraid backup transcript earlier it's excessively late

When volition the caller certificates expire?

The 2023 certificates person expiration dates 15 years later, successful 2038. The 1 objection is the Windows UEFI CA 2023, which volition expire successful June 2035. That means we'll person to spell done this creation again successful little than a decade.

Where tin I get much accusation oregon help?

The authoritative Microsoft FAQ leafage is here: Secure Boot Certificate Update FAQ. If you tally into issues connected an unmanaged PC successful a location oregon tiny office, cheque with the PC shaper oregon interaction Microsoft for support. Enterprise administrators tin usage commercialized enactment channels.