Secure Boot is a key security feature of PCs that is ensuring that only trusted, digitally signed software can load before the Windows operating starts. It uses a chain of trust using cryptographic certificates.
Microsoft issued the original Secure Boot certificates in 2011. Nearly every PC since 2012 has these certificates.
- The problem: The certificates are set to expire in 2026. Some will expire in June 2026, others in October 2026.
- The solution: To prevent Secure Boot disruptions, Microsoft is exchanging certificates.
What happens if the certificates are not exchanged?
Good news is that the PC won’s break or fail to boot when that happens. In fact, for most users, the PC will act and behave just like before. Windows will boot, apps will launch, and they can use their PC just like before.
The only limitation in that case is that Secure Boot can’t be updated anymore. This means that the official blocklist won’t update anymore to stop known malware or bootkits, can’t receive new features or fixes.
The expiring and new Secure Boot keys
| Expiring 2011 Certificate | New 2023 Replacement | Purpose |
| Microsoft Corporation KEK CA 2011 | Microsoft Corporation KEK 2K CA 2023 | Gives Windows the authority to update the Signature Database (DB) and the blocklist (DBX). |
| Microsoft Windows Production PCA 2011 | Windows UEFI CA 2023 | Signs the actual Windows bootloader so the OS is allowed to start. |
| Microsoft Corporation UEFI CA 2011 | Microsoft UEFI CA 2023 | Signs third-party bootloaders (like Linux) and EFI applications. |
| None | Microsoft Option ROM UEFI CA 2023 | Signs third-party option ROMs (firmware for graphics cards, network cards, etc.). |
The rollout of the update
Most Windows users on unmanaged PCs won’t have to do anything. The update is pushed via Windows Update and it will happen automatically in the background. A restart of the PC is required, but that is about it.
Microsoft begins with PCs that are “deemed highly compatible” first. This is the same distribution strategy that Microsoft uses for pushing out new feature or major updates to home and consumer PCs.
Here is how you can find out if the update is installed:
- Open the Start menu.
- Type Powershell.
- Select “Run as administrator”.
- Confirm the security prompt.
- Type Confirm-SecureBootUEFI and press the Enter-key.
- True means that Secure Boot is active.
- False means that Secure Boot is turned off.
- If True is returned, run the command ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’).
- True means that the update is fully installed.
- False means that the update is not yet installed, the 2011 keys are still used.
I’m (still) a Windows 7 user and; for what it’s worth, and please do confirm, I’ve asked Duck AI:
“Do Secure Boot keys concern all versions of Windows or only 10 & 11?”
GPT-4o mini:
**Secure Boot keys are primarily a concern for Windows 8, 10, and 11**, as this feature was introduced with Windows 8. Secure Boot helps to ensure that only trusted software is loaded during the boot process, which is essential for the security of the operating system.
—
### Details on Secure Boot and Windows Versions
– **Windows 8**: Secure Boot was first implemented in this version, requiring UEFI firmware to facilitate it.
– **Windows 10**: Continued the use of Secure Boot with improved security features.
– **Windows 11**: Enhanced security measures make Secure Boot even more significant, as it’s a requirement for installation.
Returned : True
Edition Windows 11 Pro
Version 24H2
Installed on 8/31/2025
OS build 26100.7623
Experience Windows Feature Experience Pack 1000.26100.275.0
I have read that computers built within the last two years already have the new Secure Boot certificate. Is this so? My windows 11 25H2 computer was built by a computer technician 6 months ago. Secure Boot has been turned off my computer.
There is a difference between “supporting Secure Boot”, which your PC does, and a PC without it. Yours is disabled, but it is there.