The latest Secure Boot 2023 certificate update has been rolled out to eligible Windows 11 and Windows 10 computers, coinciding with the expiration of old certificates. This timely update ensures that PCs receive the necessary security enhancements, preventing potential problems.
The update, which was implemented by Microsoft, includes additional device targeting data to increase the coverage of devices eligible for automatic Secure Boot certificate installation. Only devices demonstrating sufficient successful update signals will receive the new certificates, allowing for a controlled and phased rollout.
Devices that received the June 2026 Patch Tuesday update have a high chance of having the new Secure Boot 2023 certificates installed without any user intervention.
Secure Boot is a security feature at the firmware level, executed before Windows launches. It verifies the digital signatures of system components, preventing rootkits and bootkits from infiltrating the boot chain.
The Secure Boot certificates were first issued in 2011, but those certificates will expire this year. The "Microsoft Corporation KEK CA 2011" certificate expired on June 24th, 2026, while the "Microsoft UEFI CA 2011" certificate will expire on June 27th, and the "Microsoft Windows Production PCA 2011" certificate will expire on October 19th, 2026. Microsoft is replacing these certificates with the Secure Boot 2023 certificate update.
Has your PC received the new Secure Boot certificates? You can easily check in Windows Settings under Privacy & security, then select Windows Security and Device Security to access the Secure Boot section. A green status indicates that all necessary certificates are present. If you see a yellow warning icon, your PC may require additional compatibility data or a BIOS update before the certificates can be installed.
If you see a red dot with a white 'X' inside, it means an issue is preventing the Secure Boot certificate update, likely due to a firmware incompatibility. Check your PC manufacturer's support page to see if a BIOS update is available. Alternatively, you can check the Secure Boot State in the msinfo32 window by pressing the Windows key + R and typing msinfo32.
Without updated Secure Boot certificates, your Windows PC will not receive further security updates at the boot level, making it potentially vulnerable to rootkits, bootkits, and other malware.
