Windows 11 users face a looming technical issue that could affect system security and update compatibility starting in June 2026. The problem stems from Secure Boot certificates—digital signatures that verify software authenticity during startup—set to expire for many devices manufactured before 2024.
Secure Boot is an integral part of Windows’ UEFI/BIOS, ensuring only trusted software runs at boot. Without updated certificates, affected systems risk failing to receive security updates or trusting malicious boot loaders, compromising both functionality and protection. Microsoft has begun rolling out replacements for eligible devices running Windows 11 versions 24H2 and 25H2, but users must verify their system’s status before the deadline.
Users with devices built prior to 2024 are most likely to encounter issues. However, Secure Boot only poses a risk if it is enabled on the system. To check, open the Run dialog (Win + R), type msinfo32, and review the Secure Boot Status field. If it reads ‘On,’ further action may be required.
The first step is to confirm whether the current certificate is up to date. Open PowerShell as an administrator and run
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)If the output includes a 2023 timestamp (e.g., MicrosoftUEFICertificateAuthority_2023.cer), the system is compliant. To filter specifically for this certificate, append -match ‘Windows UEFI CA 2023’. If no valid certificates appear or if the registry key HKEY_LOCAL_MACHINE\\[SYSTEM]\CurrentControlSet\Control\SecureBoot\Servicing shows a value of 0 for WindowsUEFICA2023Capable, users should install pending Windows quality updates immediately.
Microsoft states that installing these updates will allow the system to send ‘successful update signals,’ enabling automatic deployment of new certificates. Enabling diagnostic data collection in Windows settings may also facilitate this process. Alternatively, organizations can manually configure Secure Boot through registry keys or the Windows Configuration System (WinCS), though this requires technical expertise.
While Microsoft has not specified exact consequences for non-compliant systems, historical precedents suggest potential disruptions to security updates and boot processes. Users should prioritize checking their certificate status well in advance of June 2026 to avoid complications.
