Your PC's critical security certificates may be about to expire - how to check

kyoshino/E+/Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Secure Boot protects modern Windows and Linux PCs.
• Microsoft Secure Boot certificates from 2011 expire successful June 2026.
• Most PC owners are good if they instal the latest updates.

Last year's end-of-support deadline for Windows 10 was a large trial for consumers and IT pros alike. The bully quality is, everyone passed! The atrocious quality is, there's different important expiration day close astir the corner.

Every Windows PC designed and built since 2011 supports a diagnostic called Secure Boot. This feature, which is connected by default connected caller PCs sold with Windows 10 and Windows 11, acts arsenic a gatekeeper that allows lone trusted bundle to tally astatine startup. If idiosyncratic tries to tamper with the operating strategy oregon footwear from an alternate device, Secure Boot blocks that attempt.

Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11 - for free

All presently supported versions of Windows enactment Secure Boot, arsenic bash an expanding fig of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a big of others.

How Secure Boot works

Secure Boot relies connected a concatenation of cryptographic certificates that cheque each footwear constituent to spot whether it's decently signed. One of the astir important certificates is the Key Exchange Key (KEK), which sits successful the UEFI firmware and works with the Trusted Platform Module (TPM) to negociate the database of trusted bootloaders, which are contained successful the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). The Microsoft-issued Production Certificate Authority (CA) and UEFI CA certificates are besides indispensable to the cognition of Secure Boot and besides request to beryllium updated.

If you bought a PC successful the past 15 years, it astir surely contains Microsoft-issued KEK and UEFI CA certificates from 2011, which are slated to expire successful June 2026. To update those certificates, you request entree to the basal of spot -- the Platform Key, which is managed by the hardware OEM.

Also: After mounting up Windows 11, these 9 steps are non-negotiable for me

When the Secure Boot certificates expire, they are nary longer permitted to validate footwear software, which means your installed operating strategy volition garbage to start. You tin crook disconnected Secure Boot, but doing truthful means you won't beryllium capable to entree disks that are encrypted utilizing BitLocker.

In 2023, Microsoft issued replacements for those Secure Boot certificates. But the full constituent of the Secure Boot certificate exemplary is that those certificates are not casual to regenerate -- if they were, each malware developer successful the satellite would beryllium focusing vigor connected doing precisely that, creating malicious rootkits that tally astatine startup and can't beryllium detected easily.

To hole for this wide extinction event, Microsoft and its hardware partners person been moving for respective years, coordinating a planetary bid of updates designed to regenerate those outdated certificates with the 2023 version. Microsoft has documented advancement successful a new blog post:

Our ecosystem partners play a captious relation successful the modulation to the caller Secure Boot certificates. OEMs person been provisioning updated certificates connected caller devices and galore newer PCs built since 2024, and astir each the devices shipped successful 2025 already see the certificates and necessitate nary enactment from customers. OEM partners person besides worked intimately with our engineering teams to guarantee that in-market devices tin use the updates seamlessly and person provided their ain guidance to assistance customers hole for the transition. As a effect of that concerted effort, you mightiness soon spot a firmware update that volition bring your computer's information halfway into the modern era, pushing the certificate expiration dates retired by different decennary oregon more.

For astir people, this process should beryllium unobtrusive. You mightiness already person installed the indispensable updates without realizing it.

For this post, I've assembled a database of often asked questions, on with authoritative answers.

Why are these certificates expiring?

Fifteen years is simply a agelong time. Security standards beforehand dramatically each year, and it's mean to discontinue aged certificates and regenerate them with recently issued certificates that conscionable modern information standards alternatively of becoming a constituent of vulnerability.

Does my PC person expiring Secure Boot certificates?

If your machine was designed and built aft 2011, it includes Secure Boot certificates. Any instrumentality that was designed and built earlier 2024 astir apt has a 2011 certificate, which is astir to expire.

According to Microsoft, its OEM partners person been provisioning updated certificates connected caller devices since 2024. If you person a comparatively caller device, it astir apt already includes the latest certificates. Copilot+ PCs built successful 2025 oregon aboriginal already see the 2023 certificates and don't request an update.

Also: OneDrive Backup conscionable got a monolithic alteration for the amended - however it works now

To spot whether your PC has the updated certificates, unfastened a PowerShell model utilizing head credentials and past tally the pursuing command:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If the effect is True, you're up to date. If the effect is False, you request a firmware update.

Will I get an updated certificate automatically?

If your PC was designed and built by a large OEM (Lenovo, HP, Dell, ASUS, Surface), and you are moving a supported Windows version, you should person the indispensable update automatically. 

According to Microsoft, "For astir individuals and businesses that let Microsoft to negociate PC updates, the caller certificates volition beryllium installed automatically done the regular monthly Windows update process, with nary further enactment required." 

Also: Windows 11 has 1 cardinal users - and they're furious

Those updates volition get connected astir each PCs moving Windows 11 and connected PCs moving Windows 10 with an Extended Security Updates subscription. You mightiness request a abstracted firmware update from the PC shaper to let the updated certificates to install.

Microsoft says it volition beryllium delivering messages astir the certificate update presumption successful the Windows Security app.

For specialized computers, specified arsenic servers and IoT devices, you mightiness request to download and instal an update from the instrumentality maker.

What happens if I don't update those certificates?

According to Microsoft, "When the 2011 CAs expire, Windows devices that bash not person caller 2023 certificates tin nary longer person information fixes for pre-boot components, compromising Windows footwear security.... Without updates, the Secure Boot-enabled Windows devices hazard not receiving information updates oregon trusting caller footwear loaders, which volition compromise some serviceability and security."

I person a Mac. Do I request to interest astir this?

No.

I person a PC moving Linux. Do I request to interest astir this?

If you're dual-booting Linux with Windows, Microsoft says it volition update the certificates that Linux relies on.

If you've wiped Windows completely, you mightiness not get the latest information updates automatically. You tin interaction the institution that built your PC to spot if there's a manual update, oregon you tin crook Secure Boot off. Aside from seeing a scary reddish padlock connected the footwear screen, everything other volition enactment arsenic expected.

I built my ain PC. Where are my updates?

Talk to the institution that manufactured your motherboard. There mightiness beryllium an update, but depending connected the property of your PC, the motherboard institution mightiness not connection one. You tin crook disconnected Secure Boot and Windows volition inactive commencement up. If you person BitLocker encryption turned on, you mightiness request to proviso the betterment cardinal to entree information connected that disk.

Also: How to find your BitLocker betterment cardinal - and prevention a unafraid backup transcript earlier it's excessively late

Where tin I get much accusation oregon help?

The authoritative Microsoft FAQ leafage is here: Secure Boot Certificate Update FAQ. If you tally into issues connected an unmanaged PC successful a location oregon tiny office, cheque with the PC shaper oregon interaction Microsoft for support. Enterprise administrators tin usage commercialized enactment channels.