Microsoft is giving every Windows 10 and 11 user a hard date to prepare for a fundamental shift in how Secure Boot verifies the digital signatures that keep malware out of the boot chain. On June 24, 2026, Microsoft will revoke trust for the aging “Microsoft Windows Production PCA 2011” certificate that has anchored UEFI Secure Boot for over a decade. After that cutoff, any PC that hasn’t ingested the replacement “Microsoft Windows Production PCA 2023” certificate will fail to start with Secure Boot turned on. The company already pushes the new certificate through Windows Update, but confirming it actually landed on your machine requires checking a few specific spots—and some hardware will need manual intervention before the clock runs out.

What’s Changing in Secure Boot?

Secure Boot relies on a chain of public‑key signatures stored inside the UEFI firmware. When the PC powers on, each piece of boot software must present a signature that matches an entry in the allowed signature database (the “db”). For years, the root of that trust for virtually every Windows PC was the Microsoft Windows Production PCA 2011 certificate, a 2048‑bit RSA key that signed Windows boot loaders, Option ROMs, and third‑party UEFI drivers. In 2023, Microsoft generated a fresh PCI‑compliant certificate—Microsoft Windows Production PCA 2023—with a stronger elliptic‑curve key (ECC P‑384) and a longer lifespan.

The plan is straightforward: add the 2023 certificate to the UEFI db on every supported machine, start signing all new boot components exclusively with the new key, and, once the ecosystem is ready, ban the old certificate by pushing a Secure Boot Forbidden Signature Database (DBX) update that lists the 2011 thumbprint. That DBX update is scheduled for release on June 24, 2026. The moment a UEFI firmware loads that DBX entry, any bootloader or driver signed only with the old 2011 key becomes invalid—the firmware will treat it as untrusted and halt the boot process.

Why June 24, 2026 Matters

Microsoft chose the date to give OEMs, enterprises, and end users ample time to test and deploy the certificate. In practice, the rollout began in February 2024, when a Windows Update started writing the 2023 certificate into the UEFI Secure Boot db on systems that could accept it. Ever since, subsequent monthly cumulative updates have refreshed the delivery logic, closing gaps on devices that missed the initial push. So, for many modern PCs, the work is already done—the new certificate lives silently in firmware, and the machine will sail past the 2026 deadline without a hiccup.

But the deadline is also a real enforcement point. On or shortly after June 24, 2026, Microsoft will release the DBX revoking the 2011 certificate through Windows Update. Any device that never got the 2023 certificate will immediately lose the ability to boot with Secure Boot enabled. The screen won’t show a friendly warning; users will likely see a generic “Secure Boot violation” or “Invalid signature” error and may need to enter UEFI setup, disable Secure Boot, or attempt a firmware update from a thumb drive. For fleet administrators, hundreds or thousands of workstations could go dark overnight if they miss the window.

How to Check Your System’s Secure Boot Certificate Status

Microsoft lists three official ways to verify that the 2023 certificate has been fused into your firmware: the Windows Security app, the System Information utility, and a dedicated administrative diagnostic tool. Each method offers a different level of detail.

Windows Security → Device Security

Open Windows Security from the Start menu, click Device security, and find the Security processor section. If your firmware reports Secure Boot enhanced‑signature information, you’ll see a line item for the certificate version or thumbprint. On a system that has received the 2023 update, the entry reads “Microsoft Windows Production PCA 2023” followed by a hexadecimal identifier. On systems that still only trust the legacy 2011 certificate, you may see “Microsoft Windows Production PCA 2011” or no mention at all. Note that this panel depends on the firmware communicating the data correctly; not every motherboard populates these fields, so a missing entry doesn’t automatically spell doom.

System Information (msinfo32)

Press Win+R, type msinfo32, and hit Enter. Scroll to System Summary and examine the Secure Boot State value. This tells you only whether Secure Boot is currently active, not which certificates are enrolled. However, if your machine has applied recent Secure Boot DBX updates (such as the ones that blacklist known vulnerable bootloaders), the BIOS Mode field will show “UEFI” and the Secure Boot State will read “On.” As a quick sanity check, this confirms that Secure Boot is functioning, but it won’t reveal the presence of the 2023 certificate by itself. For a deeper look, you need to examine the firmware variables directly.

Administrator Diagnostics

Advanced users and IT pros can query the UEFI Secure Boot signature databases using PowerShell or Windows Terminal. The command below enumerates the contents of the allowed signature database (the “db”) and filters for any entry whose description matches the new certificate:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI -Name db).bytes)

The output will be a large block of data, but searching for “Microsoft Windows Production PCA 2023” within it confirms the certificate is present. Alternatively, Microsoft provides a standalone diagnostic MSI package—simply called the “Secure Boot Certificate Diagnostic Tool”—that runs a wizard‑style check and reports a green check mark if the firmware contains the 2023 certificate. System administrators can deploy this tool silently across an organization using Microsoft Endpoint Manager or Group Policy.

OEM‑Specific Tools

Some manufacturers embed certificate information in their own firmware utilities. Dell Command | Configure, HP BIOS Configuration Utility, and Lenovo Vantage can all dump the current Secure Boot variable contents. If you already use these tools for fleet management, they can serve as an additional verification layer.

How the Rollout Has Worked So Far

Microsoft’s strategy has been to slip the 2023 certificate into the firmware db through Windows Update without requiring a full firmware flash. The update sends the certificate to the UEFI variable store while the OS is running; after a reboot, the firmware integrates it. This approach works seamlessly on most machines built after 2019 that comply with the Windows 11 UEFI requirements. For those devices, the certificate often arrived with the February 2024 security update (KB5034765 for Windows 11 22H2 and newer, or equivalent Windows 10 updates) and has been included in every cumulative update since.

For Windows 10 systems receiving Extended Security Updates (ESU), the same delivery pipeline applies. Microsoft has made clear that the certificate update is an OS‑level payload, not tied to Windows 11 hardware requirements, so even a fully patched Windows 10 22H2 system with ESU will get the certificate—provided the underlying UEFI accepts the write.

Are Older PCs Left Behind?

The catch is that the UEFI variable write can fail on older firmware. Motherboards from the 2015‑2018 era, especially consumer boards from smaller vendors or early UEFI implementations, often have locked or insufficiently sized variable stores. Windows Update attempts the write, encounters a “no space” or “access denied” error, and silently skips the step. The device continues to boot fine with the old certificate, but it will fall into the unbootable camp after the 2026 DBX update.

Custom‑built desktops are particularly prone to this issue. A hand‑built PC with a motherboard that hasn’t received a UEFI firmware update from the vendor in years may never receive the 2023 certificate unless the owner manually flashes a BIOS update from the OEM’s support page. B‑grade electronics and no‑name minim boards frequently offer no post‑sale firmware support at all. For such systems, the only reliable escape hatch before 2026 is to enter UEFI setup and disable Secure Boot entirely—an option that squanders the security gains that prompted the certificate renewal in the first place.

Enterprise customers who maintain large inventories of older but perfectly functional machines face a tough choice: commission a firmware refresh (if available) for every affected model and then re‑image, or begin a hardware replacement programme that ends well before June 2026. Microsoft’s Windows Server and Surface lines are expected to be fully compatible, but even among those, devices that have never been updated may need attention.

Concrete Steps to Take Now

1. Install Every Pending Windows Update
Go to Settings → Windows Update and check for updates. Install all cumulative updates, even the optional ones, because they often carry the latest certificate delivery improvements. After updating, reboot twice—once to complete the update and once to allow the firmware to finalise the variable write—before running the verification steps above.

2. Visit Your Motherboard or PC OEM’s Support Site
Search for your model’s download page and look for a BIOS/UEFI firmware update released after February 2024. The update changelog may mention “enhanced Secure Boot support” or “added Windows UEFI CA 2023 certificate.” If such a firmware update exists, applying it manually is the most robust way to guarantee the certificate is baked into the firmware natively, independent of Windows Update retries.

3. Run Microsoft’s Diagnostic Tool
Download the Secure Boot Certificate Diagnostic Tool from the Microsoft Download Center or the Windows IT Pro Blog post that announced the renewal. Run it on a representative sample of your machines—or on every endpoint if you can script the deployment. The tool logs results to the Windows Event Log and returns a simple pass/fail exit code suitable for automated reporting.

4. Evaluate the Risk of Leaving Secure Boot Off
If a machine absolutely cannot accept the certificate (for example, it runs an inaccessible embedded system that cannot be flashed), you may decide to disable Secure Boot in the UEFI setup before the 2026 deadline. This is a security downgrade: it removes the pre‑boot tamper‑proofing that blocks rootkits and bootkits. Reserve this option only for isolated, non‑critical devices and plan to segment them from sensitive networks.

5. For Enterprises: Start a Pilot Now
Build a Windows 10 ESU or Windows 11 image with the latest updates, deploy it to a small group, and confirm the diagnostic tool passes. Then gradually roll out the image across departments. Use your endpoint management platform to filter devices that fail the certificate check and prioritise them for hardware replacement or community‑driven firmware hack workarounds.

What Happens After June 24, 2026?

On that date, Microsoft intends to ship the DBX update that contains the 2011 certificate’s thumbprint. The update will arrive through Windows Update just like any other monthly quality update. Enterprise networks using WSUS or Microsoft Configuration Manager will see it in their distribution channels as well. Once the update installs, the firmware’s “forbidden signatures” database permanently blocks any binary signed with the old key.

Hardware that trusts the 2023 certificate will boot exactly as before. Hardware that doesn’t will stall at the UEFI pre‑boot screen with an error resembling “Secure Boot policy has changed. Please check your system’s Secure Boot settings.” At that point, the only recovery paths are:
- Disable Secure Boot in UEFI settings and boot the OS (losing pre‑boot security).
- Use a recovery drive to boot, then manually flash a firmware update that includes the certificate, if one exists.
- Perform a clean installation of Windows 11 with the newest media, which might trigger a certificate write during setup.

Windows 10 machines are not exempt; the certificate and DBX updates are OS‑version‑agnostic because they target the firmware. A fully patched Windows 10 system can have Secure Boot enabled just as securely as Windows 11, so the 2026 deadline applies equally to both.

A Secure Future for the Windows Boot Chain

The certificate renewal is not an arbitrary bureaucratic exercise. The 2011 certificate uses a key pair that is now considered vulnerable to quantum‑accelerated factorization attacks—still over‑engineered for today’s threats, but not future‑proof. By moving to ECC P‑384, Microsoft aligns Secure Boot with the same cryptographic standards used in Windows Hello for Business, Azure Attestation, and the overall Zero Trust architecture. The switch also lets Microsoft enforce stricter signing policies: future boot components can embed metadata that limits their usage to specific releases or configurations, making it harder for attackers to reuse a signed driver in an unintended context.

For the Windows community, the immediate takeaway is that the 2026 deadline feels far away, but the verification work is best done now—while there’s time to update firmware, test images, and contact OEMs. A PC that sits unpatched for another eighteen months will be just as unprepared on June 23, 2026 as it is today. The tools to check are already built into the operating system, and the process takes less than five minutes. There has rarely been a more clear‑cut case of proactive maintenance providing an outsized security return.