Your PC's critical security certificates may be about to expire - how to check
Summary
Microsoft Secure Boot certificates from 2011, which protect modern Windows and Linux PCs by ensuring only trusted software runs at startup, are set to expire in June 2026. This feature, standard on PCs since 2011, relies on a chain of cryptographic certificates, including the Key Exchange Key (KEK) and UEFI CA certificates, which validate boot components. If these certificates expire without being updated, the operating system will refuse to start, though users can disable Secure Boot (at the cost of BitLocker access). Microsoft issued replacement 2023 certificates and has been coordinating with hardware OEMs since 2023 to provision these on new devices and deliver updates to existing ones, largely through automatic Windows updates. Most users running supported Windows versions on major OEM PCs should receive these updates seamlessly.
Key takeaway
For CTOs overseeing IT infrastructure, ensure all Windows 10 (with ESU) and Windows 11 PCs receive automatic updates to prevent Secure Boot certificate expiration issues by June 2026. Verify that specialized systems, custom builds, or Linux-only machines have a plan for manual firmware updates from OEMs or motherboard manufacturers. Failure to update could compromise boot security and serviceability, potentially requiring BitLocker recovery keys if Secure Boot is disabled.
Key insights
Expiring 2011 Secure Boot certificates require updates to maintain PC security and boot functionality by June 2026.
Principles
- Regular certificate rotation enhances security.
- Secure Boot prevents unauthorized OS tampering.
Method
Check Secure Boot certificate status using PowerShell: `([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')`. "True" means updated, "False" requires a firmware update.
In practice
- Install all Windows updates promptly.
- Contact OEM for manual firmware updates.
- Backup BitLocker recovery keys.
Topics
- Secure Boot
- UEFI Firmware
- Cryptographic Certificates
- Windows Security Updates
- PC Hardware Security
Best for: CTO, General Interest, IT Professional, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.