Windows updated Secure Boot just in time. Here’s what happened

Microsoft just pushed the Secure Boot 2023 certificate update to all eligible Windows 11 and Windows 10 computers, just in time given that old certificates were due to expire today. It’s a good thing, too, since your PC could face real problems without updated certificates.

According to Windows Latest, Microsoft gave an official statement about the just-in-time rollout, saying the following:

With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

If your Windows PC received the June 2026 Patch Tuesday update, there’s a good chance the new Secure Boot 2023 certificates have also been installed without you having to do anything.

What’s the Secure Boot certificate update?

Secure Boot is a security feature at the firmware level, meaning it gets executed at startup before Windows itself launches. Secure Boot verifies the digital signatures of all components on your system, preventing rootkits and bootkits from infiltrating the boot chain.

The first Secure Boot certificates were issued back in 2011, but those are set to expire this year—specifically, the “Microsoft Corporation KEK CA 2011” certificate expires today (June 24th, 2026), while the “Microsoft UEFI CA 2011” certificate expires on June 27th and the “Microsoft Windows Production PCA 2011” certificate is the last of the certificates to expire, which will happen on October 19th, 2026.

Microsoft is now replacing all these certificates with the Secure Boot 2023 certificate update. The number of PCs receiving the Secure Boot 2023 certificate update rose significantly, particularly in June 2026.

Has your PC already received the new Secure Boot certificates?

You can easily check whether your PC has already received the important Secure Boot 2023 certificate update.

In Windows Settings, under Privacy & security, look for Windows Security and then select Device Security to access the Secure Boot section. The status should be green, indicating that all the necessary certificates are present. If it’s indeed green, you don’t need to do anything.

If instead you see a yellow warning icon with a black exclamation mark, then your PC has NOT yet received the Secure Boot 2023 certificate update. Reasons for that could include requiring additional compatibility data or a BIOS update from your PC manufacturer before the certificates can be installed. Microsoft will continue to automatically attempt to install the certificates on your system over time.

But if you see a red dot with a white ‘X’ inside, this means an issue is preventing the Secure Boot certificate update, most likely a firmware incompatibility. In this case, check your PC manufacturer’s support page to see if a BIOS update is available.

Tip: If the Secure Boot option is missing from your Windows Settings, Secure Boot is probably disabled on your computer or was bypassed during Windows installation.

Alternatively, you can check whether Secure Boot has been updated by pressing the Windows key + R keyboard shortcut to open the Run prompt window. There, type msinfo32 and press Enter. In the window that opens afterwards, under System Summary, you’ll find the entry Secure Boot State. It should say “On.”

What if the Secure Boot certificate update isn’t installed?

Without updated Secure Boot certificates, your Windows PC will still start up and can still be used, but it will not receive any further security updates at the boot level. This makes your PC potentially vulnerable to rootkits, bootkits, and other malware.

Further reading: 10 free ways to make your Windows PC harder to hack