Will the secure boot certificate expire in June 2026? What to check and what to do before your PC stops booting

What does it mean when you hear "Secure Boot certificate has expired"? If you think so, please honestly raise your hand. As of February 2026, it is in the news that the electronic certificate for "Secure Boot" required to start Windows will expire in June 2026.

What will happen if we leave it alone? In the worst case scenario, One day your computer suddenly won't start. But don't worry. Most people should be fine if they use Windows Update normally. In this article, we will explain in an easy-to-understand manner how to check whether your PC is safe and what to do in case of an emergency.

What exactly is secure boot?

Secure Boot is a system that confirms that "this OS (Windows) is genuine" when you turn on your computer. Roughly speaking, it's a security check when starting a computer.

What is used for this check is an "electronic certificate." Just like a driver's license has an expiration date, this certificate also has an expiration date. The certificate issued by Microsoft in 2011 will finally expire in June 2026.

When the certificate expires, there is a possibility that the computer will decide that ``I cannot confirm whether this Windows can be trusted, so I will stop starting it.''

What happens when the deadline expires? Organize the scope of influence

Microsoft's official support page, there are three types of certificates that will expire:

• Microsoft Corporation KEK CA 2011 — Expires June 2026
• Microsoft UEFI CA 2011 — Expires June 2026
• Microsoft Windows Production PCA 2011 — Expires October 2026

These will be replaced by new "2023 version" certificates. Specifically, "Windows UEFI CA 2023" and "Microsoft UEFI CA 2023".

Affected are PCs running Windows 8 or later (including Windows 10 and 11) with Secure Boot enabled. In other words, consider that almost all PCs purchased within the last 10 years are eligible.

However, If you have applied cumulative updates from June 2025 onwards, the new certificate will be automatically installed. There is basically no need to worry if you regularly update Windows.

Is my PC safe? How to check the certificate

For those who are worried about whether it is really okay, we will introduce how to check. We will use a standard Windows tool called PowerShell.

Step 1: Open PowerShell with administrator privileges

Right-click the start button → select "Terminal (Administrator)". For Windows 10, select "Windows PowerShell (Administrator)".

Step 2: Run the command to check the certificate

Copy and paste the command below and press Enter.

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

If the result shows True, the new certificate is already installed. You don't need to do anything.

If the result shows "False", you still have the old certificate. Try the workaround in the next section.

Step 3: Check if secure boot is enabled (supplement)

You can check whether Secure Boot is enabled with the following command.

Confirm-SecureBootUEFI

If "True", secure boot is enabled. If "False" or "Command not recognized", Secure Boot is disabled or the legacy BIOS is not affected by this issue.

4 ways to deal with people who get "False"

For those who get "False" in the confirmation, that is, those who have not yet received the new certificate, please take the following steps. It is OK as long as you respond by June 24, 2026.

Solution 1: Run Windows Update (highest priority)

First of all, this is the easiest and surest way.

1. Open "Settings" → "Windows Update"
2. Click "Check for updates"
3. Install any updates found and restart

If the cumulative update from June 2025 onwards is applied, the new certificate will be automatically installed. dynabook's official guide also says, ``There is nothing to consider as long as you keep your OS up to date.''

Workaround 2: Run the certificate renewal task manually

If Windows Update does not work for some reason, try running the following command in PowerShell (with administrator privileges).

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

This command manually runs Windows' built-in certificate renewal task. After executing, restart your PC and try the confirmation command again.

Solution 3: Update the BIOS to the latest version

Some PC manufacturers distribute new certificates with BIOS updates. Check your manufacturer's support page for the latest BIOS.

• Dell — How to check the Secure Boot certificate
• dynabook — About expiry of secure boot certificate
• HP — Information about secure boot certificates

Solution 4: Recovery when it stops starting

In the unlikely event that your PC cannot start after the expiry date, please try the following steps.

1. Enter the BIOS settings screen (press F2 or Delete key repeatedly at startup)
2. Temporarily "disable" Secure Boot
3. Start Windows and run Windows Update
4. Once the new certificate is installed, set Secure Boot back to 'enabled'

How to enter the BIOS settings varies depending on the manufacturer. Generally, Dell has F2, HP has F10, and Lenovo has F1 or Fn+F1. If you don't know, try searching for "manufacturer name BIOS entry method".

Bad actions that should not be done

When dealing with this problem, do not do the following:

• Leave Secure Boot permanently disabled — Secure Boot is an important feature that protects your PC from malware. It's OK to temporarily disable it, but be sure to re-enable it after renewing the certificate
• Download certificates from unofficial tools and sites — Update certificates only from Windows Update or your PC manufacturer's official website. Unofficial items may be malware
• Changing BIOS settings without knowing the details — It is safe to not touch any settings other than enabling/disabling Secure Boot. If you are unsure, please consult your local PC shop or manufacturer support

FAQ

Is it okay if I do Windows Update normally?

Yes, in most cases it's fine. If you have applied Windows Update from June 2025 onwards, the new Secure Boot certificate will be installed automatically. If you are concerned, please check if the confirmation command in this article returns "True".

Is it also affected by Windows 10?

Yes. PCs with Windows 10 and Secure Boot enabled are similarly affected. Support for Windows 10 will end in October 2025, but secure boot certificate updates will continue to be distributed even after that.

Is it necessary to support self-made PCs and BTO PCs?

Yes, if Secure Boot is enabled. If you are building your own PC, we recommend checking the latest BIOS on the motherboard manufacturer's website (ASUS, MSI, Gigabyte, etc.). Automatic updates using Windows Update are also effective.

What should I do if my PC no longer starts?

There is a high possibility that you can boot if you temporarily disable secure boot in the BIOS settings. Please update the certificate with Windows Update after booting, and then re-enable secure boot.

What if I can't do Windows Update myself on my company PC?

Your company's IT administrator may manage updates via WSUS (Windows Server Update Services) or Microsoft Intune. Please check with your company's IT department to see if they have updated the secure boot certificate.

References

• Windows Secure Boot certificate expiration and CA updates — Microsoft Support, 2025
• About expiration of Windows Secure Boot certificate — dynabook official, February 17, 2026
• How to check the secure boot certificate — Dell Japan
• Preparations for "Windows 11 unbootability risk" approaching in June 2026 February monthly update "KB5077181" released — @IT, February 12, 2026
• Updating the secure boot certificate database and expiration of the secure boot certificate — VAIO official FAQ