On June 24, 2026, the digital keys that have guarded the startup process of millions of Windows PCs since 2011 finally expired. The Secure Boot certificate rollover, years in the making, moved from a future concern to an immediate one for anyone still running on outdated firmware. Major PC makers—Dell, HP, Lenovo, ASUS, Acer, MSI, Samsung, LG, and Microsoft’s Surface division—have all now published detailed instructions, but the burden of ensuring your machine is protected falls, as ever, on you.

What Actually Changed: The 2011 Certificates Expired

Secure Boot relies on certificates to verify that the code your PC runs before Windows loads hasn’t been tampered with. Microsoft’s original certificates, issued in 2011, were never meant to last forever. Three specific certificates expired in stages:

  • Microsoft Corporation KEK CA 2011 — expired June 24, 2026
  • Microsoft UEFI CA 2011 — expired June 27, 2026
  • Microsoft Windows Production PCA 2011 — set to expire October 19, 2026

To replace them, Microsoft created new 2023 certificates and began pushing them to devices through Windows Update. The catch? The final act of storing those new keys happens in your PC’s UEFI firmware—and that’s where your device manufacturer comes in. Each OEM had to release compatible BIOS updates or ensure their platforms could accept the new certificates silently. The result is a mix of automatic success, pending updates, and, for some, a warning that demands action.

What It Means for Your PC

For most people, the transition was invisible. If your Windows Security dashboard shows a green checkmark next to Secure Boot, you’re already running the 2023 certificates, and no further steps are needed. Your PC will continue to block untrusted bootloaders and receive future boot-level security updates as expected.

A yellow warning in Windows Security means the update hasn’t completed. This could be because Windows Update has staged the certificates but a required firmware update is missing, or the rollout hasn’t reached your specific hardware configuration yet. It’s not an emergency, but it’s a signal that your system hasn’t fully moved to the new trust chain.

A red icon indicates a firmware incompatibility. This is more serious: your device may need a BIOS update or, in older systems, might no longer be supported by the manufacturer. If you don’t see the Secure Boot section at all, Secure Boot is likely disabled in your UEFI settings, or you’re running Windows on hardware that bypasses the requirements (common on unsupported Windows 11 installations).

Home Users: Check and Wait, Mostly

If you’re a home user with a PC bought in the last few years, chances are high you already received the update. Microsoft rolled out the certificates to eligible devices in the June 2026 Patch Tuesday update. You may have noticed an extra reboot or two—that’s normal, as the process stages files into firmware across multiple restarts. The new SecureBoot folder that appeared in your Windows directory is also part of the machinery; leave it alone.

Windows 10 users aren’t left behind. The May 2026 security update (KB5087544) added the same Secure Boot status reporting to Windows Security, so you’ll see the green/yellow/red indicators on Windows 10 as well. If you’re on Windows 10 and haven’t installed that update, do so now.

IT Administrators: Audit Your Fleet

For enterprises, the rollover is a governance test. A machine can be running the latest Windows 11 build and still show a yellow warning because its firmware hasn’t caught up. You can’t assume status from the OS version alone. Use Intune or Configuration Manager to surface the Secure Boot state across your fleet. Each OEM publishes model-specific minimum BIOS versions; some, like HP, embed a specific string (SBKPFV3) in the SMBIOS to signal readiness.

Lenovo’s documentation is especially admin-friendly, with direct links to BIOS downloads per product family—ThinkPad, ThinkCentre, IdeaPad, and Legion each have clear cutoff lists. Dell’s dual-certificate strategy (shipping both old and new keys since late 2024) buys time, but it’s a bridge, not a destination.

How We Got Here: A Decade-Old Trust Anchor

When Secure Boot debuted with Windows 8 in 2012, Microsoft embedded 2011-issued certificates as the root of trust. These keys signed the bootloaders, drivers, and kernel components that your firmware checks before handing control to Windows. The system worked so well that most users forgot it existed—until the expiration dates loomed.

Microsoft began planning the rollover years ago, but the complexity of updating firmware across dozens of OEMs meant the timeline stretched. The 2023 replacement certificates were designed, tested, and eventually pushed through Windows Update, but only after each manufacturer prepared compatible firmware. Some, like ASUS and Lenovo, published thorough consumer and enterprise guides; others, like Acer, lagged, leaving owners of older Aspire or Nitro models in a gray zone without clear BIOS updates.

The staggered expiry—first KEK, then UEFI CA, then the Production PCA in October—was deliberate. It gave Microsoft and OEMs time to migrate devices without breaking boot. But it also means the story isn’t over. The Windows Production PCA 2011 expires on October 19, 2026, which could trigger another wave of frantic checks for anyone who ignored the June deadlines.

What to Do Now: A Step-by-Step Guide

Action depends on what you see in Windows Security. Here’s how to proceed.

1. Check Your Status

Open Windows SecurityDevice SecuritySecure Boot.
- Green: Done. No action.
- Yellow: Proceed to Step 2.
- Red: Contact your OEM support with the error code shown.
- Missing: Ensure Secure Boot is enabled in your UEFI firmware. If your hardware doesn’t support it, you’ll need to accept that boot-level security updates are no longer guaranteed.

2. Install All Pending Updates

Before assuming a yellow warning is permanent:
- Run Windows Update and install all available cumulative updates, including optional driver updates.
- Check your OEM’s support website for a dedicated Secure Boot certificate page or a BIOS/firmware update labeled for certificate rollover. Do not rely on generic driver scans.

If you’re unsure of your OEM’s guidance, consult their official page:
- ASUS: Their consumer guide explains PowerShell commands to verify Key Exchange Key (KEK) and DB certificate presence. For advanced users, you can set a registry value (AvailableUpdates to 0x5944) and run the Secure-Boot-Update scheduled task twice—with a reboot in between.
- Lenovo: Direct BIOS downloads per product family, with clear end-of-service-life cutoffs.
- Dell: Provides a support article organized by brand (Alienware, XPS, Latitude, etc.) and notes that platforms with end-of-life before January 1, 2026, won’t receive updates.
- HP: Consumer PCs update through Windows Update once a minimum BIOS is installed. Commercial PCs require a specific BIOS version string. Caution: HP had a known issue where early 2026 BIOS updates triggered BitLocker recovery loops. Only install the corrected BIOS version directly from HP’s support site.
- MSI: Systems with older Intel (7th-11th Gen) or AMD (Ryzen 3000H-5000U) processors get the update via Windows only; newer platforms need a BIOS flash. MSI points to Event Viewer—event ID 1808 with source TPM-WMI confirms success.
- Acer: A model table lists Aspire, Nitro, Predator, and others. Some are marked “Under process,” meaning wait for the BIOS. Owners of 2020-2022 models like the Aspire TC-895 have reported yellow warnings with no official fix yet.
- Samsung and LG: Both confirm automatic updates through Windows, with model-specific BIOS checks available.
- Surface: For models still in the support window, updates arrive through the normal Windows and Surface firmware pipeline. Microsoft owns the whole stack here, simplifying things.

3. Back Up Your BitLocker Recovery Key Before Any BIOS Update

This cannot be stressed enough. A firmware change can trigger BitLocker recovery, locking you out of your drive. Before flashing any BIOS:
- Find your BitLocker recovery key. It’s typically linked to your Microsoft account (for consumer devices) or stored in Active Directory/Azure AD (for enterprise).
- Print it or save it to a secondary device.
- Only then proceed with the BIOS update from your OEM’s official channel.

4. If You Must Manually Trigger the Update

For users comfortable with command-line steps and only after confirming a yellow warning persists after updates, you can force the installation:

# Check for existing 2023 certificates (Admin PowerShell)
Get-SecureBootUEFI -Name KEK | Format-List
Get-SecureBootUEFI -Name db | Format-List

If the output doesn’t include “Microsoft Corporation KEK CA 2023” and “Microsoft UEFI CA 2023”, you can try:

  1. Set the registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 (DWORD). Reboot.
  2. Open Task Scheduler → Microsoft → Windows → CertificateServicesClient → Secure-Boot-Update. Run it. Reboot again.

Note: This is a last resort. Most users should simply wait for Windows Update or the OEM BIOS update, because an incorrect manual trigger can cause instability.

Outlook: October Deadlines and a Firmware Future

June’s expirations were only the first act. The Windows Production PCA 2011 expires on October 19, 2026, and while it may cause fewer visible issues (it signs kernel drivers, not bootloaders), it reinforces that firmware hygiene is now continuous. Microsoft has not announced any extension, so treat this summer as a dress rehearsal.

Longer term, this episode reveals a hard truth: a PC’s security lifespan is now defined by its firmware support, not just its ability to run the latest Windows. When an OEM stops releasing BIOS updates for a model, that device may still boot, but it gradually loses the ability to receive critical boot-level patches. For home users, this might mean retiring a beloved desktop earlier than expected. For businesses, it means refresh cycles must account for firmware end-of-life dates, not just hardware performance.

The good news is that the industry learned from this rollout. Dell, Lenovo, and others shipped dual certificates early, and Microsoft’s update mechanism worked for the vast majority of devices. The next certificate transition, whenever it comes, should be smoother—if IT teams and consumers alike remember that the green checkmark in Windows Security isn’t just a feel-good icon; it’s the first line of defense.