Time is running out for Windows users to prepare for a seismic shift in the Secure Boot trust chain. On June 19, 2026, the Microsoft Windows UEFI CA 2011 certificate—the digital cornerstone that has authenticated Windows bootloaders on billions of devices—will expire. Without proactive steps, PCs relying on Secure Boot could hit a brick wall during startup, displaying cryptic errors or refusing to boot at all. The fix? A straightforward PowerShell check and up-to-date Windows patches, applied well before the deadline.

Why a Certificate Expiration Threatens Your PC

Secure Boot is a UEFI firmware feature that ensures only trusted software boots on your machine. It works by checking digital signatures against certificates stored in the firmware’s signature databases: the authorized database (db) and the forbidden signatures database (dbx). At the top of this chain sits the Microsoft UEFI CA certificate, which signs the Windows Boot Manager and other critical components.

When Microsoft rolled out Windows 8 in 2012, it included the Windows UEFI CA 2011 certificate with a validity period ending June 19, 2026. That certificate has faithfully verified bootloaders for over a decade. But as the expiration nears, any system that hasn’t adopted the replacement—the Microsoft UEFI CA 2023—may treat future Windows bootloaders as untrusted. Even if a bootloader is signed with a perfectly valid key, Secure Boot can flag it if the signing certificate itself is expired, depending on the UEFI implementation.

Microsoft began shipping the new CA 2023 certificate through Windows Update as early as 2024, but the rollout depends on both OS updates and firmware support. The company has warned that outdated firmware or missed updates could leave a system vulnerable. “We’re entering a critical transition period,” says a Microsoft security program manager, “and users need to verify their devices are ready before the old CA expires.”

The Real-World Fallout of Ignoring the Deadline

What happens if you ignore the expiration? For most consumer PCs, the first symptom will be a failed boot attempt. You might see a “Boot Device Not Found” message, a blue recovery screen, or the UEFI menu unexpectedly appearing. In locked-down enterprise environments, a single unbootable machine can cascade into support tickets and lost productivity. In extreme edge cases—particularly on older hardware with rigid UEFI code—a firmware lockup could require a motherboard replacement or a time-consuming reflash.

There’s also a timing risk. After June 2026, Microsoft will update the DBX (forbidden signatures database) to revoke the expired CA 2011. Once that update reaches your PC, any bootloader still signed only by the old CA will be immediately blocked, even if the certificate itself hasn’t yet expired in the UEFI’s clock. This means you can’t simply set the system date back—the DBX blacklist overrides everything.

How to Check Your System’s Readiness with PowerShell

Microsoft has provided a PowerShell script that automates the readiness check, available on its Tech Community GitHub. The script queries the UEFI db variable and looks for the distinct thumbprint of the Windows UEFI CA 2023 certificate (SHA-1: 84 0d a8 3c 5e 03 6d 22 4e 8e 9e 4c 2c c5 0a b1 b1 4e 6c 39). It also verifies that the DBX contains the necessary revocations and that the old CA is either already absent or will be harmless after expiration.

Before running the script, ensure your system meets two prerequisites:
1. Secure Boot is enabled. Open an elevated PowerShell console and run:
powershell Confirm-SecureBootUEFI
A True result means Secure Boot is on. If it’s off, you won’t get boot protection, but you may still want to update the certificates for future use.

  1. Windows is up to date. The certificate often arrives via cumulative updates. Check Settings > Windows Update and install any available “Security Update for Microsoft Windows” or “Servicing stack update.” Specifically, look for KB5034123 or later monthly rollups that carry the new CA.

With those boxes ticked, download the readiness script:
- Navigate to aka.ms/SecureBootReadyCheck and save the .ps1 file.
- Right-click the script file, select Properties, and ensure Unblock is checked if you see a security warning.
- Launch PowerShell as Administrator, navigate to the script’s folder, and execute:
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass .\\Check-SecureBootReadiness.ps1

The output will clearly state whether your PC is “Ready,” “Partially Ready,” or “Not Ready,” along with recommended actions. A “Not Ready” result usually means the CA 2023 certificate isn’t in the db, and you’ll need to apply updates or manually intervene.

For IT pros managing fleets, the script accepts parameters for remote checks and can output JSON for ingestion into monitoring tools.

Interpreting the Results and Taking Action

If the script reports Ready, you can breathe easy. Your firmware already trusts the new certificate, and Windows Update has handled the DBX side. No further steps are required, but keep updates flowing.

A Partially Ready status generally means the new CA is present in the db, but the DBX hasn’t been updated with the latest revocations. This is common if you’re deferring non-security updates. Installing the most recent monthly quality update or the standalone KB5012170 (Secure Boot DBX update) often resolves this.

A Not Ready finding demands immediate attention. Here’s your action plan:

  1. Exhaust Windows Update. Visit Settings > Windows Update, check for updates, and install everything, including optional updates. Restart and re-run the script. The CA 2023 certificate is bundled with several cumulative updates, but if your Windows 10 or 11 version is out of support, you may need to upgrade first.

  2. Check for firmware updates. Visit your PC manufacturer’s support website (Dell, HP, Lenovo, etc.) and search for BIOS/UEFI updates that mention “Secure Boot certificate renewal” or “Windows UEFI CA 2023.” Install the latest firmware, then re-check.

  3. Manually inject the certificate (advanced). Microsoft offers a separate tool for adding the CA 2023 to the db directly via a UEFI application. This is intended for system builders and IT staff; you’ll need a USB drive and some comfort with the command line. Instructions are at aka.ms/UEFI-CA2023-Add.

  4. Consult your OEM or IT department. Some enterprise systems use a custom Platform Key (PK) or have group policies that override certificate management. In those environments, the readiness script may not tell the whole story.

Enterprise Administrators: Going Beyond the Script

Managing Secure Boot certificates at scale requires a different playbook. Microsoft recommends:
- Use Windows Update for Business reports to identify devices that haven’t applied the CA 2023 update.
- Deploy the DBX update (KB5012170 or its successors) via Configuration Manager or Intune, ensuring it’s installed before June 2026.
- For machines that still fail readiness checks, push a custom firmware package from your OEM that contains the CA 2023 certificate.
- Test extensively. The expiration will affect recovery media, Windows PE, and even some Linux distributions that rely on Microsoft-signed shims. Validate your entire boot chain in a staging environment.

One often-overlooked scenario: virtual machines, especially those running in Hyper-V or VMware with virtual TPM and Secure Boot. Check those guest OSes just as you would physical boxes. A virtual machine that can’t boot after the expiration is just as painful as a bare-metal server.

The Clock Is Ticking, but Solutions Are Here

The June 2026 Secure Boot certificate expiration is a definite event—not a theoretical vulnerability. Microsoft has given the industry a long runway, but the onus is now on users and IT pros to verify readiness. Ignoring it could mean a day spent wrestling with recovery DVDs instead of getting work done.

Action today takes five minutes: open PowerShell, run the script, note the result. If you’re ready, you’ve bought peace of mind. If not, you now have a clear path to resolve the issue before the deadline bites. And if you’re an enterprise admin, carve out time in your next maintenance window—this is one update you can’t afford to skip.