Secure Boot is a key security feature of PCs that is ensuring that only trusted, digitally signed software can load before the Windows operating starts. It uses a chain of trust using cryptographic certificates.
Microsoft issued the original Secure Boot certificates in 2011. Nearly every PC since 2012 has these certificates.
- The problem: The certificates are set to expire in 2026. Some will expire in June 2026, others in October 2026.
- The solution: To prevent Secure Boot disruptions, Microsoft is exchanging certificates.
What happens if the certificates are not exchanged?
Good news is that the PC won’s break or fail to boot when that happens. In fact, for most users, the PC will act and behave just like before. Windows will boot, apps will launch, and they can use their PC just like before.
The only limitation in that case is that Secure Boot can’t be updated anymore. This means that the official blocklist won’t update anymore to stop known malware or bootkits, can’t receive new features or fixes.
The expiring and new Secure Boot keys
| Expiring 2011 Certificate | New 2023 Replacement | Purpose |
| Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK 2K CA 2023 | Gives Windows the authority to update the Signature Database (DB) and the blocklist (DBX). |
| Microsoft Windows Production PCA 2011 | Windows UEFI CA 2023 | Signs the actual Windows bootloader so the OS is allowed to start. |
| Microsoft Corporation UEFI CA 2011 | Microsoft UEFI CA 2023 | Signs third-party bootloaders (like Linux) and EFI applications. |
| None | Microsoft Option ROM UEFI CA 2023 | Signs third-party option ROMs (firmware for graphics cards, network cards, etc.). |
The rollout of the update
Most Windows users on unmanaged PCs won’t have to do anything. The update is pushed via Windows Update and it will happen automatically in the background. A restart of the PC is required, but that is about it.
Microsoft begins with PCs that are “deemed highly compatible” first. This is the same distribution strategy that Microsoft uses for pushing out new feature or major updates to home and consumer PCs.
Here is how you can find out if the update is installed:
- Open the Start menu.
- Type Powershell.
- Select “Run as administrator”.
- Confirm the security prompt.
- Type Confirm-SecureBootUEFI and press the Enter-key.
- True means that Secure Boot is active.
- False means that Secure Boot is turned off.
- If True is returned, run the command ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’).
- True means that the update is fully installed.
- False means that the update is not yet installed, the 2011 keys are still used.