Check Windows PC for expiring Secure Boot certificates

Secure Boot, enabled by default on Windows 10 and 11 PCs built since 2011, blocks untrusted software from running at startup. The Microsoft-issued Secure Boot certificates from 2011 are slated to expire in June 2026. Secure Boot uses a chain of cryptographic certificates — including the Key Exchange Key (KEK), the UEFI and Production CAs, and the Platform Key managed by the OEM — to validate boot components.

When those certificates expire a device will still start, but it can no longer receive updates for Windows Boot Manager, Secure Boot databases and revocation lists, or fixes for boot‑chain vulnerabilities; turning off Secure Boot can also prevent access to BitLocker‑encrypted disks without the recovery key.

Microsoft and OEMs issued replacement certificates in 2023 and have been provisioning updates since 2024; many devices shipped in 2025 already include the new certificates and require no action.

secure boot, windows 10, windows 11, microsoft, kek, uefi ca, production ca, platform key, bitlocker, boot manager