If you’ve never heard of Secure Boot certificates, that’s by design — they work quietly in the background, and for most of the past 15 years, nobody’s had to think about them. That’s about to change. The original certificates that power one of Windows’ most fundamental security features are set to expire in June 2026, and depending on which PC you’re running and which version of Windows you’re on, the fallout could range from a seamless automatic update to a security headache you’ll need to solve yourself.
Your PC isn’t going to die, but it might get a lot less safe
Secure Boot is what protects your machine during the boot process — before Windows even finishes loading. The certificates that underpin it are expiring, and while Microsoft has been pushing updated versions through Windows Update, not everyone is eligible to receive them automatically. Windows 11 users on modern hardware should be fine. Everyone else needs to pay attention.
To check where you stand, open PowerShell as an administrator and run:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'). A True means you’re already sorted. A False means you need to check for pending Windows Updates immediately — or hunt down a firmware update from your PC manufacturer.
Windows 10 without ESU are getting left behind again
This is where it gets genuinely frustrating. Microsoft officially ended Windows 10 support in October 2025, but offered an Extended Security Update (ESU) program as a one-year stopgap. Windows 10 PCs enrolled in ESU will receive the new Secure Boot certificates. Those that haven’t enrolled won’t — and with around 400 million PCs already locked out of Windows 11 by its hardware requirements, that’s an enormous number of machines quietly losing another layer of protection. The enrolment window for ESU is still open until October 14, 2026, so if you’re a Windows 10 holdout, that’s your most practical move right now.
