Microsoft is alerting users to the expiration of critical Secure Boot certificates in June 2026, a move that could impact the ability of some PCs to boot securely. This "generational refresh" of the trust foundation of modern PCs requires users to ensure their systems are updated to avoid potential boot issues. Systems not updated may face difficulties booting into their operating systems.
Key Takeaways
- Secure Boot certificates on many PCs will expire in June 2026, potentially causing boot failures.
- Newer PCs built since 2024, and almost all devices shipped in 2025, already include the updated certificates.
- Users can check their system’s status via PowerShell and may need to update their BIOS.
- Dell, HP, Lenovo, Microsoft, and Asus provide specific instructions and updates for their systems.
Why Are Secure Boot Certificates Expiring?
Secure Boot is a security standard developed by the Unified Extensible Firmware Interface (UEFI) forum, designed to ensure that a device only boots using software that is trusted by the Original Equipment Manufacturer (OEM). It establishes a "root of trust" during the boot process, preventing malicious software from loading during startup. The expiring certificates are a part of this process, and represent a scheduled refresh to maintain the integrity of the boot process.
According to Microsoft’s Costa, "The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup. By renewing these certificates, the Windows ecosystem is ensuring that future innovations in hardware, firmware, and operating systems can continue to build on a secure, industry‐aligned boot process."
Users can check if their system has the updated certificates by opening PowerShell or Terminal and typing ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match ‘Windows UEFI CA 2023’). A "true" result indicates the system has the updated BIOS with the new Secure Boot certificates. Older PCs and systems without a BIOS update installed will return "false". For systems needing updates, manufacturers like Asus provide methods to get the certificates via Windows Update, the MyAsus app, or the Asus website. This process is crucial, as outdated certificates can lead to a failure in the UEFI Secure Boot process, preventing the system from booting correctly.
What Should You Do if Your System Is Affected?
The primary action is to ensure your system’s BIOS is updated. Microsoft notes that "many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates" and won’t need updates. However, older PCs might require a BIOS update. Major manufacturers such as Dell, HP, Lenovo, and Microsoft have lists of specific systems and firmware versions.
Updating the BIOS ensures that the new Secure Boot certificates are active. If a BIOS update isn’t available, Microsoft encourages users to contact its customer support services for assistance. According to Statista, Microsoft’s Windows operating system held a 68.2% market share in desktop operating systems as of January 2026, making these updates critical for a large number of users. "It’s important to act before the expiration date to avoid potential boot issues," said Kevin Beaumont, a security researcher, in a recent blog post.
Products/Companies Mentioned
- Microsoft – Technology company, $3.2 trillion market cap, $245B revenue (FY2025), responsible for Windows operating system and Surface devices.
- Dell – Computer hardware company, $101.7 billion revenue (FY2025), provides BIOS updates for its PCs to address the Secure Boot certificate expiration.
- HP – Computer hardware company, $53.7 billion revenue (FY2025), also provides BIOS updates for its PCs.
- Lenovo – Technology company, $62 billion revenue (FY2025), offering support and BIOS updates for its PCs.
- Asus – Computer hardware company, $14.1 billion revenue (FY2025), providing multiple methods to update Secure Boot certificates.
What This Means
- For home users: Check your system using the PowerShell command and update your BIOS if needed to avoid boot issues after June 2026. Contact Microsoft support if you encounter difficulties.
- For IT departments: Implement a plan to update all managed Windows PCs with the latest BIOS versions, ensuring compliance and preventing widespread boot failures. Microsoft provides detailed documentation for IT shops.
- For hardware manufacturers: Continue providing BIOS updates for older systems and ensure all new PCs ship with the latest Secure Boot certificates to maintain security standards.
