Microsoft Rolls Out Critical Secure Boot Certificate Update to Windows 10 and 11 PCs

Microsoft has begun automatically deploying its long-awaited Secure Boot 2023 certificate update to eligible Windows 10 and Windows 11 systems, arriving just as the original Secure Boot certificates begin expiring.

The rollout coincides with the expiration of the Microsoft Corporation KEK CA 2011 certificate on June 24, 2026, helping ensure that supported PCs continue receiving boot-level security protections.

Why the Update Matters

Secure Boot is a firmware-level security feature that runs before Windows starts. It verifies the digital signatures of boot components, helping prevent malicious software such as rootkits and bootkits from compromising the startup process.

The original Secure Boot certificates issued in 2011 are reaching the end of their validity:

• Microsoft Corporation KEK CA 2011 — June 24, 2026
• Microsoft UEFI CA 2011 — June 27, 2026
• Microsoft Windows Production PCA 2011 — October 19, 2026

Microsoft is replacing them with the new Secure Boot 2023 certificates, which are now being delivered through Windows Update.

Automatic Rollout Expanded

According to Microsoft, devices that install the June 2026 Patch Tuesday updates have a strong chance of receiving the new certificates automatically.

The company says it has expanded deployment by using additional compatibility and reliability data to determine which devices are ready for the update, allowing certificates to be installed gradually while minimizing potential issues.

How to Check Your PC

Users can verify whether the new certificates have been installed through Windows Security:

Settings → Privacy & Security → Windows Security → Device Security → Secure Boot

The status indicators mean:

• Green: Secure Boot certificates are installed and working correctly.
• Yellow warning icon: The update hasn’t yet been installed, possibly because Microsoft is waiting for additional compatibility data or a BIOS update.
• Red X: A firmware compatibility issue is preventing installation. Users should check their PC manufacturer’s website for a BIOS or UEFI firmware update.

Another way to verify Secure Boot is:

1. Press Windows + R
2. Type msinfo32
3. Press Enter
4. Under System Summary, confirm that Secure Boot State displays On.

What Happens Without the Update?

Systems missing the new certificates will continue to boot normally, but they will no longer receive future Secure Boot security updates after the legacy certificates expire.

Without updated certificates, firmware-level protections against threats such as rootkits and bootkits become increasingly limited, potentially leaving affected PCs more vulnerable to attacks during the startup process.

No Action Needed for Most Users

For most Windows 10 and Windows 11 users, the rollout is occurring automatically through Windows Update. Those who have already installed the latest cumulative updates likely won’t need to take any additional steps unless Windows Security reports a warning or firmware compatibility issue.