Secure Boot Certificates Expire June 26: Is Your PC Ready?

On June 26, 2026, the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 certificates expire. These certificates are part of Secure Boot, the security feature that prevents malware from loading before Windows starts.

If your PC still has the old certificates and doesn't get the 2023 replacements, you won't stop booting. But you will stop receiving boot-level security updates, which means your PC becomes increasingly vulnerable to rootkits and bootloader attacks over time.

What Is Secure Boot?

Secure Boot is a UEFI firmware feature that checks every piece of software that runs during startup. If a bootloader or driver isn't signed by a trusted certificate, Secure Boot blocks it. This prevents boot-level malware from loading before Windows and your antivirus even start.

The certificates that define "trusted" are stored in your PC's firmware. Microsoft issued the original certificates in 2011. They expire in June 2026. Microsoft has been rolling out replacement certificates (dated 2023) through Windows Update since late 2025.

How to Check Your Status

Windows 11's April 2026 update added Secure Boot status badges to the Windows Security app. Look for:

• Green: Your certificates are current. No action needed.
• Yellow: Your certificates need updating. Windows Update should handle this automatically if you're connected.
• Red: Secure Boot is disabled or certificates are critically outdated.

You can also check manually: open System Information (type "msinfo32" in the Start menu) and look for "Secure Boot State." If it says "On," Secure Boot is enabled. If it says "Off," you need to enable it in your BIOS.

What to Do Before June 26

If Secure Boot is on and Windows Update is running normally: You're probably fine. Microsoft is pushing the 2023 certificates automatically through Windows Update on consumer Windows 11 PCs. Keep your PC updated and check the Windows Security badge.

If Secure Boot is off: You need to enable it in your BIOS/UEFI settings. Restart your PC, press DEL or F2 during startup (the key varies by manufacturer), find Secure Boot under Security or Boot settings, set it to Enabled, save, and exit.

If you're on Windows 10: ESU (Extended Security Updates) users should still receive the certificate update through Windows Update. If you're NOT on ESU, your PC may not get the new certificates automatically. Check with Microsoft's support documentation for manual options.

If you manage a fleet: This is more complex. Windows Server requires manual certificate updates (it does not auto-roll like client Windows). Microsoft published a Secure Boot playbook for IT professionals at their Tech Community blog.

How SimpleFixAI Helps

SimpleFixAI checks your Secure Boot status on every scan. If Secure Boot is disabled, it surfaces a guidance card that explains what Secure Boot does, why it matters, and walks you through enabling it step by step.

There's also a separate card for the June 2026 certificate deadline that explains what the yellow or red badge in Windows Security means and reassures you that on consumer Windows 11, keeping Windows Update on handles the transition automatically.

SimpleFixAI can't change your BIOS settings remotely (that's a firmware-level setting that requires a physical reboot and manual configuration), but it tells you exactly what to do and why.