Secure Boot Certificates Start Expiring June 24: How to Check and Update Every PC You Manage

On June 24, the certificates that anchor Secure Boot on most Windows PCs begin to expire — the first scheduled turnover since the system launched in 2011. Before writing this guide, we checked our managed client fleet. Roughly 80% of devices were already covered: most of our fleet is two to three years old and either carries the replacement 2023 certificates or sits squarely in Microsoft's automatic deployment path. The rest split into two groups — machines waiting on a routine Windows update, and a smaller set, mostly older Dell all-in-one desktops, a few aging Lenovo laptops, and a handful of industrial PCs, that needed a firmware update before the fix would even apply.

Your PC will not stop booting on June 24. But machines without the new certificates gradually lose boot-level security updates, and the fix is a five-minute check now versus a confusing troubleshooting session later. Here's how to verify every machine you're responsible for, and what to do with the ones that aren't ready.

The Secure Boot Certificate Expiration: What Actually Happens on June 24

First, what does not happen: nothing breaks on June 24, 2026. No PC fails to boot, no blue screens, no locked-out users, and standard Windows updates keep installing. Coverage suggesting otherwise overstates the situation.

Here's what actually expires. Secure Boot — the UEFI firmware feature that verifies every piece of boot software is signed and trusted before Windows loads — relies on a small set of Microsoft certificates stored in your PC's firmware. Those certificates were issued in 2011 with 15-year lifespans, and the clock runs out on a schedule:

Once a machine's certificates expire without the 2023 replacements installed, it keeps booting — but it can no longer receive updates to the Windows Boot Manager, the Secure Boot signature databases, or the revocation list (DBX) that blocks known-malicious boot software. That last part is the real risk. When the BlackLotus UEFI bootkit appeared in 2023 — malware that loads before Windows and survives an OS reinstall — the fix was delivered through exactly the boot-level update channel that expired certificates cut off. A machine outside that channel doesn't fail visibly — it simply stops receiving protection against the next threat of this kind.

The replacements are the 2023 certificate set: Microsoft Corporation KEK 2K CA 2023, Windows UEFI CA 2023, Microsoft UEFI CA 2023, and Microsoft Option ROM UEFI CA 2023. Getting them onto a machine is the entire job this article covers.

One scoping note: if the machine you're worried about is still on Windows 10, the certificate question is secondary to the bigger one — whether it should be on ESU, upgraded, or replaced. Our Windows 10 end-of-life guide covers that decision; this article assumes machines on a supported, updating OS.

What We Found Checking Our Client Fleet

Before recommending a process, we ran the readiness check across the small-business fleets we manage in South Florida. The short version: if your hardware is recent and your updates are current, you're probably fine — and the exceptions follow a predictable pattern.

Two things predicted readiness, and neither was the brand on the case. The first was device age: machines from 2023 onward almost universally shipped with the 2023 certificates in firmware or accepted them through a routine update. The second was update hygiene — our managed devices run automated patch and firmware deployment through Action1, so most eligible machines had already received current BIOS versions long before we went looking. Fleets without automated firmware patching will skew worse than our numbers, because the certificate update frequently depends on a firmware version most users never install by hand.

The 20% that needed attention clustered exactly where you'd guess: older Dell all-in-one desktops, aging Lenovo laptops, and industrial PCs whose firmware updates only come from the equipment vendor. The problem-machines section later in this guide covers what to do with those. First, here's how to check any machine yourself.

How to Check a Single PC in Two Minutes

You need two facts about each machine: is Secure Boot actually on, and are the 2023 certificates present? Three checks, in increasing order of precision.

Step 1: Confirm Secure Boot is enabled

1. Press Windows Key + R, type msinfo32, and press Enter.
2. In System Summary, find Secure Boot State.
3. On means proceed to Step 2. Off or Unsupported means the certificate expiration is moot for this machine — but a machine running with Secure Boot off has a bigger problem worth fixing first.

Step 2: Check the firmware for the 2023 certificate

Open PowerShell as Administrator and run:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

• True — the Windows UEFI CA 2023 certificate is in this machine's Secure Boot database. The main work is done.
• False — the certificate hasn't been applied yet. Continue to Step 3 to see whether an update is pending or stuck.

Step 3: Check Windows' update status in the registry

Microsoft's deployment process (documented in KB5025885) reports its state in the registry. In the same elevated PowerShell window:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -Name UEFICA2023Status

• Updated — done. This is the authoritative "ready" signal.
• InProgress — the update is mid-flight; it typically completes across a reboot or two.
• NotStarted (or the value doesn't exist) — this machine hasn't begun, and it's a candidate for the manual path in the next sections.

That's the whole audit: one msinfo32 glance, two PowerShell lines. On a fleet, push the PowerShell checks through your RMM as a script and collect the results — we did exactly that, and it's how the table above was built. With results in hand, every machine lands in one of three buckets, covered in order below.

The Automatic Path: Who Can Just Wait

Most machines need nothing from you, and it's worth understanding why before you start touching registries.

Microsoft has been rolling the 2023 certificates out through Windows Update using a confidence system: devices are grouped into "buckets" by manufacturer, motherboard, and firmware version, and once Microsoft observes enough successful updates in a bucket with no failures, the whole bucket is marked high-confidence and gets the certificates automatically through monthly cumulative updates. No opt-in, no registry work, no Intune policy.

The June 9, 2026 Patch Tuesday update (KB5094126 for Windows 11 24H2/25H2) matters here: it shipped expanded high-confidence targeting data, and Microsoft confirmed in its June 4 AMA session that after this update, the vast majority of devices it has telemetry for fall into the high-confidence group. If you've been waiting for a sensible moment to check your fleet, the June update is it — the automatic path now covers more machines than at any point in the rollout.

The honest version of "you can just wait": waiting is fine for recent, regularly updated machines — but verify, don't assume. Run the Step 2 PowerShell check after the June update lands and reboots complete. A machine that shows True is done. A machine that's still False in July has told you something: it's not in the high-confidence group, and it needs one of the next two sections. For a broader look at how Windows 11 handles this kind of managed servicing, our Windows 11 IT pro review covers the update model in depth.

The Managed-Fleet Path: Intune, Registry Keys, and Small-Business Reality

If you manage 5–50 machines and some of them aren't in the automatic path — white-box builds, less common OEM models, machines with diagnostic data disabled — you can push the update yourself. The mechanism is the same regardless of which management tool triggers it.

Before anything else: BitLocker. Skipping this step is the most common way a routine certificate rollout turns into avoidable downtime.

With keys verified, the deployment options in order of preference:

Intune. The Settings Catalog includes a Secure Boot certificate deployment policy, and the Intune monitoring report (updated May 2026) shows per-device status: high-confidence membership, applied/not applied, and which devices need intervention. If you're already an Intune shop, use this and skip the registry.

Registry trigger. For everyone else — including RMM-managed fleets like ours — two commands from an elevated prompt start the full deployment on a device:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

The 0x5944 bitmask tells Windows to apply everything: the 2023 CAs to the DB, the new KEK, and the 2023-signed boot manager. The scheduled task processes one step per run (it fires every 12 hours on its own; the second command just skips the wait), and the machine needs a reboot or two between stages. Watch AvailableUpdates step down — 0x5944 → 0x4100 → 0x4000 or 0x0 — and confirm UEFICA2023Status reads Updated when it settles.

Microsoft-managed opt-in. For devices outside the high-confidence buckets that you'd still rather have Microsoft handle, setting MicrosoftUpdateManagedOptIn to 1 (same registry path) enrolls them in Microsoft's managed deployment — with the catch that the device must send optional diagnostic data, which many business configurations disable.

One easy-to-miss population: virtual machines. Hyper-V guests carry their own virtual firmware and need the certificate update separately from their host — and Microsoft's Secure Boot troubleshooting guide tracks a known issue affecting cert updates on Hyper-V VMs, so check those alongside the physical fleet rather than assuming the host covers them.

Rollout order matters more than tooling. Pick one machine per hardware model, run it end-to-end — trigger, reboots, verification — and only then script the rest of that model's fleet. Budget 20–30 minutes of hands-on time per machine for the manual path including reboot cycles and verification; machines that also need a firmware update first (next section) take longer. The certificate check itself is worth adding to your recurring maintenance routine — it's exactly the kind of item that belongs in a periodic security audit rather than a one-time event.

The Problem Machines: Old Firmware, OEM Quirks, and When to Replace Instead

Some machines fail the check and stay failed, because the firmware itself doesn't support the 2023 certificates yet. This was our fleet's entire problem population: older Dell all-in-ones, aging Lenovo laptops, and industrial PCs. The fix is OEM-specific, and each vendor has drawn its own support line.

Dell publishes a supported-platform list and flags qualifying BIOS releases with the phrase "This BIOS contains the new 2023 Secure Boot Certificates" in the Important Information field on the driver download page. All Dell client BIOSes released after January 1, 2026 include the certificates. Check your model's Drivers & Downloads page, install the current BIOS, then re-run the deployment trigger. One Dell-specific trap from their transition FAQ: selecting Expert Key Mode in BIOS setup can wipe the active certificates and reload stale 2011 defaults — leave key management alone unless you have a specific reason.

HP drew its line at 2018: commercial PCs from 2018 onward received supporting BIOS updates (2022–2023 models around September 2025, 2018–2021 models by the end of 2025), 2024+ models shipped ready, and models older than 2018 will not receive updates. Update the BIOS first, then let Windows Update or the registry trigger do the certificate work.

Lenovo maintains minimum-BIOS tables per model for its commercial PCs. The pattern is the same — update to at least the listed BIOS version, then apply the certificates — with Lenovo explicitly repeating the BitLocker recovery-key warning for the firmware step.

Industrial and special-purpose PCs are the most difficult category. Their firmware comes from the equipment vendor, not the board manufacturer, and updates may be slow or nonexistent. For these, document the status, ask the vendor directly for their 2023 certificate timeline, and isolate the machines on the network in the meantime — they were probably segmented (or should have been) already.

Some machines can't be fixed: the firmware is out of support and no 2023-capable BIOS is coming. Here's the decision rule we use: if a machine needs more than an hour of remediation work and it's already failed or is near failing the Windows 11 hardware requirements, put the hour toward provisioning its replacement instead. A pre-2018 desktop that can't take the 2023 certificates is also staring down TPM and CPU requirements it can't meet — the certificate expiration isn't the reason to replace it, just the latest reminder.

The Ten-Minute Version

If you manage machines and have read this far, here's the whole job: run the two-minute check on everything, today. Machines showing Updated or True — done. Recent machines showing InProgress or pending — let the June update finish, verify in two weeks. Everything else gets a BIOS update, a verified BitLocker key, and the registry trigger, one hardware model at a time. The deadline that matters isn't really June 24 — it's the day the next boot-level vulnerability is disclosed, when the machines that were skipped are the ones that can't receive the fix.

Related Resources

• Windows 10 End of Life: Navigating the 2026 Secure Boot Certificate Expirations — If the machine failing this check is on Windows 10, the ESU-vs-upgrade-vs-replace decision comes first.
• Windows 11 System Requirements & Compatibility Checker — The companion check for deciding whether an old machine is worth remediating.
• Small Business Network Security Audit Guide — Where the certificate check belongs once the deadline passes: inside a recurring audit habit.
• Windows 11 for IT Professionals — How Windows 11's servicing model handles updates like this one across managed fleets.