Microsoft is actively replacing expiring Secure Boot certificates on Windows 11 systems running versions 24H2 and 25H2. Secure Boot's function is to prevent unsigned or malicious software from launching during startup. Microsoft has alerted users that current Secure Boot certificates will expire in June 2026, impacting future security updates and boot loader trust without updates.
Affected Devices and Check
Devices manufactured prior to 2024 are the primary focus, as newer models already possess the necessary updated certificates. This change applies specifically to systems where Secure Boot is enabled. Users can verify their Secure Boot status by pressing Win+R, entering msinfo32, and checking Secure Boot Status; if it reads "On," Secure Boot is enabled.
Certificate Verification Process
To inspect certificate status, open PowerShell as an administrator and execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes). The presence of at least one 2023 timestamped certificate, such as MicrosoftUEFICertificateAuthority_2023.cer, should be confirmed. Users can use the filter -match 'Windows UEFI CA 2023' in the command to receive a True or False output.
Update and Management
For systems with older certificates, it’s essential to install the latest Windows quality updates to receive the replacement certificates. The Windows registry should have WindowsUEFICA2023Capable not set to 0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing. Enterprises may distribute Secure Boot certificates through specified registry keys or the Windows Configuration System (WinCS).
