Microsoft has initiated the rollout of the Secure Boot 2023 certificate update for all eligible Windows 11 and Windows 10 PCs, just hours ahead of the impending expiration deadline on June 24, 2026. In an official statement, Microsoft noted, “With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.”
If your PC has received the June 2026 Patch Tuesday update, there’s a strong likelihood that the Secure Boot 2023 certificates have already been installed seamlessly. Below are steps to verify your device’s status and actions to take if you encounter any warnings.
What is the Secure Boot Certificate Update?
Secure Boot serves as a firmware-level security feature that activates before Windows begins its loading process. It ensures the digital signature of each boot component is verified, effectively preventing rootkits and bootkits from infiltrating the startup chain. The original certificates were issued in 2011, with the Microsoft Corporation KEK CA 2011 set to expire on June 24, 2026, followed by Microsoft UEFI CA 2011 on June 27, and Microsoft Windows Production PCA 2011 on October 19, 2026.
To maintain the functionality of Secure Boot for future security updates post-expiration, Microsoft has been distributing replacement 2023 certificates via Windows Update since 2024. The June 2026 update significantly broadened the range of eligible devices, categorizing the majority of supported PCs into what Microsoft refers to as the “high confidence” category, allowing for automatic and secure updates.
How to check if your PC has the Secure Boot 2023 Certificates
The most straightforward method to verify your Secure Boot status is through the Windows Security app, introduced in the April 2026 Windows 11 update. To check, open Windows Security, select Device Security from the left menu, and scroll to the Secure Boot section. You will encounter one of three status indicators:
- Green Checkmark: Indicates that all required certificate updates have been applied, meaning your PC is fully up to date and no action is needed.
- Yellow Warning: Suggests that the update is pending. Your device may require additional compatibility data or a BIOS update from your PC manufacturer before the certificates can be installed. Microsoft will continue to attempt the update automatically.
- Red Alert: Signifies a specific issue blocking the update, often due to firmware incompatibility. In this case, it is advisable to check your PC manufacturer’s support page for a BIOS update.
For HP users, a problematic BIOS update earlier this year caused BitLocker recovery loops; thus, it is essential to verify that a corrected BIOS version is available rather than assuming the latest one is safe.
If the Secure Boot section is absent from Device Security, it likely indicates that Secure Boot is disabled on your PC or that it was installed using a registry bypass on unsupported hardware. For those interested in a more traditional approach, you can check the Secure Boot Status by opening System Information (press Win + R, type msinfo32, and hit Enter) and locating the Secure Boot State line under System Summary.
What if your PC did not receive the Secure Boot update?
While it is uncommon, not receiving the Secure Boot certificate update does not prevent your PC from functioning. Microsoft has assured that devices lacking the 2023 certificates will continue to boot normally and receive regular Windows updates. However, the ability to receive future boot-level security updates—including revocations for newly identified malicious bootloaders and fixes for vulnerabilities like the BlackLotus bootkit—will cease. This security degradation is gradual rather than immediate.
For most home users on modern hardware, the update should have arrived automatically, requiring no further action. If your PC displays a yellow warning, it is sufficient to wait for the next Windows Update cycle, as Microsoft is continually expanding device coverage with each monthly update.
For older PCs where the manufacturer has halted BIOS updates, the likelihood of obtaining the 2023 certificates is quite low. Some PCs have faced failures in receiving the Secure Boot 2023 updates due to firmware incompatibilities, and for those devices, a straightforward fix may not be available. Users should prioritize checking for a BIOS update before attempting any manual interventions.
Your PC may restart twice after updates and it is normal
Some users have observed their PCs restarting multiple times following recent Windows updates and have assumed something went awry. Microsoft has confirmed that this behavior is expected, particularly due to the Secure Boot certificate process. Each step—writing the new certificates to the firmware, applying the updated boot manager, and booting Windows with the new chain—requires separate reboots. Therefore, if your PC restarted more than once after the June update, it was functioning as intended.
The SecureBoot folder in Windows is not a Virus
Following the May 2026 update, many users noticed a new folder at C:WindowsSecureBoot and expressed concerns, suspecting it to be malware. Microsoft has clarified that this is not a bug and should not be deleted, as Windows utilizes this folder to stage cryptographic certificate files prior to writing them to the firmware.
Windows 10 users are also getting the Secure Boot update
The ongoing updates for Windows 10, despite its end-of-life status, underscore the significance of this change. Users enrolled in the Extended Security Updates program began receiving Secure Boot status reporting from the May 2026 update KB5087544. The update mechanism remains consistent across both operating systems. However, if you are on Windows 10 and are not part of the ESU program, the certificate update will not be delivered through Windows Update.
Enrolling in ESU necessitates transitioning from a local account to a Microsoft account on your Windows 10 PC. Windows 11 users should be aware that Windows Latest has tested and reported on all new features introduced in the June 2026 update, which marked the broadest rollout of the Secure Boot certificates to date.
For IT Admins: What the Deadline means starting June 24
The expiration of the Microsoft Corporation KEK CA 2011 on June 24 signifies that Microsoft will no longer be able to sign new Secure Boot revocation payloads (DBX updates) with the old key. Nonetheless, all existing signed payloads and manual rollout methods will continue to function. The DB key remains valid until October 19, allowing Microsoft to sign new boot managers until that date. Microsoft has conducted two detailed AMA sessions with engineers specifically for IT administrators, addressing topics such as device confidence buckets, Intune monitoring, PXE boot scenarios, and considerations regarding virtual machines. For enterprise fleet management, the resource at aka.ms/GetSecureBoot remains central.
For devices currently in the temporarily paused bucket, the path forward involves obtaining a BIOS update from the OEM. It is not advisable to force the update through registry keys on a paused device without a prior firmware update, as this may lead to boot failures or BitLocker recovery issues.