- Official Post
Windows Secure Boot certificates are reaching their "End of Life" starting June 2026. If you haven't updated your UEFI CA certificates, your PC's boot-level security is about to expire.
To check if you already have these new certificates (normally this isn't the case if your machine has more than 2 years) you can use a simply PowerShell command (run as administrator)
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'If this returns true your system is up to date but if it returns false you have to update it.
If you get a variable not found or similar you don't have Secure Boot activated in the BIOS which is very bad for Windows 11.
To enforce the update you can do the following, also again in PowerShell as administrator.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"After that you should reboot.
If you now check with the first command you should get a true.
Now to be sure that the system takes over the new certificates you should reboot a second time and you are ready to go and you are again on a more secure side.