Microsoft has initiated the rollout of the Secure Boot 2023 certificate update to all eligible Windows 11 and Windows 10 PCs, just hours ahead of the impending expiration deadline set for June 24, 2026. A statement from Microsoft elaborates on this development: “With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.”
What is the Secure Boot Certificate Update?
Secure Boot serves as a firmware-level security feature that activates before Windows begins its loading process. It verifies the digital signatures of every boot component, effectively blocking rootkits and bootkits from infiltrating the startup chain. The certificates underpinning this system were initially issued in 2011, with the expiration of Microsoft Corporation KEK CA 2011 approaching on June 24, 2026. Following that, Microsoft UEFI CA 2011 will expire on June 27, and Microsoft Windows Production PCA 2011 will follow suit on October 19, 2026.
To ensure the continued functionality of Secure Boot for future security updates beyond these dates, Microsoft has been distributing replacement 2023 certificates via Windows Update since 2024. The June 2026 update significantly broadened the range of eligible devices, placing the majority of supported PCs into what Microsoft designates as the “high confidence” category, allowing for automatic and safe updates.
How to check if your PC has the Secure Boot 2023 Certificates
The most straightforward method to verify the status of your Secure Boot certificates is through the Windows Security app, introduced in the April 2026 Windows 11 update. To check, open Windows Security, select Device Security from the left menu, and scroll to the Secure Boot section. You will encounter one of three status indicators:
- A green checkmark indicates that all required certificate updates have been applied, meaning your PC is fully up to date and no action is required.
- A yellow warning signifies that the update is pending. Your device may require additional compatibility data or a BIOS update from your PC manufacturer before the certificates can be installed. Microsoft will continue to attempt the automatic update.
- A red alert points to a specific issue preventing the update, typically due to firmware incompatibility. In this case, it is advisable to consult your PC manufacturer’s support page for a BIOS update.
For HP users, it is worth noting that a faulty BIOS update from HP earlier this year led to BitLocker recovery loops, so it is prudent to verify that you have the corrected BIOS version rather than assuming the latest one is safe.
If the Secure Boot section is absent from Device Security, it is likely that Secure Boot is disabled on your PC or that it was installed using a registry bypass on unsupported hardware. Detailed coverage of this situation for older and unsupported PCs is available.
Alternatively, for those who prefer a more traditional approach, you can check the Secure Boot Status by opening System Information (press Win + R, type msinfo32, and hit Enter) and locating the Secure Boot State line under System Summary. A comprehensive Secure Boot verification guide was published earlier this year for those interested in a registry or PowerShell-level audit.
What if your PC did not receive the Secure Boot update?
While it is uncommon, not receiving the Secure Boot certificate update does not render your PC inoperable. Microsoft has confirmed that devices lacking the 2023 certificates will continue to boot normally and receive regular Windows updates. However, the ability to receive future boot-level security updates, including revocations for newly identified malicious bootloaders and fixes for vulnerabilities like the BlackLotus bootkit, will cease. This security degradation occurs gradually rather than immediately.
For most home users with modern hardware, the update was delivered automatically, requiring no action. If your PC displays a yellow warning, simply waiting for the next Windows Update cycle should suffice, as Microsoft continues to expand device coverage with each monthly update.
For users of older PCs where the manufacturer has ceased BIOS updates, the likelihood of obtaining the 2023 certificates is relatively low. Some PCs have experienced failures in Secure Boot 2023 updates due to firmware incompatibilities, and for these devices, a straightforward fix may not be available. Users should prioritize checking for a BIOS update before attempting any manual interventions.
Your PC may restart twice after updates and it is normal
Some users have reported their PCs restarting two or three times following recent Windows updates, leading to concerns that something may have gone awry. Microsoft has confirmed that this behavior is expected, particularly due to the Secure Boot certificate process. Each step—writing the new certificates to the firmware, applying the updated boot manager, and booting Windows with the new chain—requires separate reboots. Therefore, if your PC restarted multiple times after the June update, rest assured it was functioning as intended.
The SecureBoot folder in Windows is not a Virus
Following the May 2026 update, many users noticed a new folder located at C:WindowsSecureBoot, prompting concerns that it might be malware. Microsoft has clarified that this is not a bug and that users should refrain from deleting it. The folder is utilized by Windows to stage the cryptographic certificate files prior to writing them to the firmware.
Windows 10 users are also getting the Secure Boot update
The ongoing provision of Secure Boot updates for Windows 10, despite its end of life status, underscores the significance of this change. Users of Windows 10 enrolled in the Extended Security Updates program began receiving Secure Boot status reporting with the May 2026 update KB5087544. The update mechanism remains consistent across both operating systems. However, if you are on Windows 10 and are not part of the ESU program, the certificate update will not be delivered through Windows Update.
Enrolling in the ESU program necessitates transitioning from a local account to a Microsoft account on your Windows 10 PC. Windows 11 users should also be aware that Windows Latest has tested and covered all new features introduced in the June 2026 update, which marked the broadest rollout of the Secure Boot certificates to date.
For IT Admins: What the Deadline means starting June 24
The expiration of Microsoft Corporation KEK CA 2011 on June 24 signifies that Microsoft will no longer have the capacity to sign new Secure Boot revocation payloads (DBX updates) using the old key. Nonetheless, all existing signed payloads and manual rollout methods will remain functional. The expiration of the DB key is set for October 19, allowing Microsoft to continue signing new boot managers until that date. Microsoft has conducted two detailed AMA sessions with engineers specifically for IT administrators, addressing topics such as device confidence buckets, Intune monitoring, PXE boot scenarios, and considerations for virtual machines. For enterprise fleet management, the resource at aka.ms/GetSecureBoot serves as a central hub of information.
For devices currently in the temporarily paused bucket, the recommended course of action is to obtain a BIOS update from the OEM. Attempting to force the update through registry keys on a paused device without prior firmware updates is ill-advised, as it may lead to boot failures or trigger BitLocker recovery.
