Microsoft has officially pushed the Secure Boot 2023 certificate update to all eligible Windows 11 and Windows 10 PCs, arriving just hours before the first major expiration deadline hits on June 24, 2026. This rollout marks a significant milestone in maintaining firmware-level security for millions of devices as older cryptographic keys begin to expire.
If you installed the June 2026 Patch Tuesday update, there is a high probability that these new certificates have already landed on your device automatically. Microsoft confirmed the wider rollout, noting that Windows quality updates now include additional high-confidence device targeting data. This increases coverage for devices eligible to receive the new Secure Boot certificates automatically, provided they demonstrate sufficient successful update signals.
Why this update matters right now
Secure Boot is a firmware-level security feature that verifies the digital signature of every boot component before Windows even starts loading. It blocks rootkits and bootkits from inserting themselves into the startup chain. The certificates backing this system were originally issued in 2011, and they are expiring in stages:
- Microsoft Corporation KEK CA 2011: Expires June 24, 2026
- Microsoft UEFI CA 2011: Expires June 27, 2026
- Microsoft Windows Production PCA 2011: Expires October 19, 2026
To keep Secure Boot functioning for future security updates after these dates, Microsoft has been rolling out replacement 2023 certificates through Windows Update since 2024. The June 2026 update significantly expanded the pool of eligible devices, moving the vast majority of supported PCs into what Microsoft calls the “high confidence” category. This allows the update to be applied automatically and safely without manual intervention.
How to check if your PC has the Secure Boot 2023 Certificates
The quickest way to verify your status is through the Windows Security app, a feature Microsoft added in the April 2026 Windows 11 update. Open Windows Security, click Device security from the left menu, then scroll to the Secure Boot section. You will see one of three status indicators:
- Green checkmark: All required certificate updates have been applied. Your PC is fully up to date, and no action is needed.
- Yellow warning: The update is pending. Your device may need more compatibility data or a BIOS update from your manufacturer before the certificates can be installed. Microsoft will continue trying to push it automatically.
- Red alert: A specific issue is blocking the update, typically a firmware incompatibility. You should check your PC manufacturer’s support page for a BIOS update.
If the Secure Boot section is missing from Device Security, your PC likely has Secure Boot disabled or was installed using a registry bypass on unsupported hardware. For a more traditional check, open System Information (press Win + R, type msinfo32, hit Enter) and look for the Secure boot state line under System Summary.
What if your PC did not receive the update?
If your device missed the Secure Boot certificate update, it does not mean your PC will stop working. Microsoft has confirmed that devices without the 2023 certificates will continue to boot normally and receive regular Windows updates. However, they will lose the ability to receive future boot-level security updates.
This includes revocations for newly discovered malicious bootloaders and fixes for vulnerabilities like the BlackLotus bootkit. The security degradation is gradual, not immediate. For most home users on modern hardware, the update arrived automatically. If your PC is showing a yellow warning, it is usually enough to wait for the next Windows Update cycle, as Microsoft continues expanding device coverage with each monthly release.
For older PCs where the manufacturer has stopped pushing BIOS updates, the chances of getting the 2023 certificates are slim. Secure Boot 2023 updates have been failing on some devices due to firmware incompatibilities, and for those systems, there may not be a straightforward fix. The priority is to check whether a BIOS update exists before attempting any manual intervention.
Normal behavior: Multiple restarts and new folders
Some users have noticed their PCs restarting two or three times after recent Windows updates and assumed something went wrong. Microsoft confirmed this is expected behavior specifically because of the Secure Boot certificate process. Writing the new certificates to the firmware, applying the updated boot manager, and then booting Windows with the new chain each requires separate reboots. If your PC restarted more than once after the June update, it was working correctly.
Additionally, around the time of the May 2026 update, many users noticed a new folder at C:\Windows\SecureBoot and were concerned it was malware. Microsoft confirmed this is not a bug and you should not delete it. Windows uses this folder to stage the cryptographic certificate files before writing them to the firmware.
Windows 10 users and IT Admins
Windows 10, which has reached end of life, is still getting Secure Boot updates if enrolled in the Extended Security Updates (ESU) program. Users started getting Secure Boot status reporting from the May 2026 update KB5087544. The update mechanism is identical across both operating systems. If you are on Windows 10 and not in the ESU program, the certificate update will not arrive through Windows Update.
For IT administrators, the June 24 expiration of the Microsoft Corporation KEK CA 2011 means Microsoft loses the ability to sign new Secure Boot revocation payloads (DBX updates) with the old key. All existing signed payloads and manual rollout methods continue working. The DB key does not expire until October 19, so Microsoft can still sign new boot managers until then. For enterprise fleet management, aka.ms/GetSecureBoot remains the central resource.
For devices in the temporarily paused bucket, the path forward is a BIOS update from the OEM. Forcing the update through registry keys on a paused device without a firmware update first is not recommended and may trigger boot failures or BitLocker recovery loops. HP users specifically should check for corrected BIOS versions, as a faulty update earlier this year caused issues.
Source: Windows Latest
Build details:
- kb5071546
- kb5087544
- kb5094126
Over to you: Did your PC automatically receive the Secure Boot 2023 update, or are you still seeing a yellow warning in Windows Security?
You may also like
