PCA Forums

TLDR:
- The secure Boot certificate used in all PCs using secure boot, expires in June 2026. This will prevent your PC from booting the OS. This is only an issue if you use Secure Boot (NOTE: Secure Boot is enabled by default under Win11 during initial install, although it can be disabled).

- If you have an OEM system, the updated certificate will *probably* be installed automatically through Windows Update. DIY systems or older systems may require a BIOS update.

- Windows 10 also supports Secure boot, although it's not enabled by default. However, Secure boot is required to enable ReBar for modern GPUs, and is also required by some games as part of the anti-cheat system (COD Black Ops 6, Black Ops 7, Warzone, and Battlefield 6 requires Secure Boot).

Since I play Black Ops 6, I checked my Win10 gaming PC and I do have the latest certificate, probably because I had to install a BIOS update in November to update the TPM version on my mobo to allow Black Ops 6 to work.

My Win10 Workstation does not have the latest certificate, probably because the BIOS version is from 2024, so I'll update that when I get a chance. I still need to check my other PCs.

Article explains how to use a PowerShell script to see if you have the new Certificate installed. NOTE: You must run PowerShell with "As Administrator".

https://www.zdnet.com/article/secure-bo ... ates-2026/

So far:

Going through some hoops to get the new certificate installed on my wife's 5 year old HP Envy 17 laptop. Not a big deal - I can just disable Secure Boot if necessary, but here's the issue that non-techies are going to go through: A lot of noobs will have their PCs just stop working in June and won't know why, and won't know how to disable Secure Boot (or will have Bitlocker enabled and even with Secure Boot disabled, won't be able to boot because the drive encryption will be unreadable).

So HP apparently doesn't post drivers and BIOS updates on their website anymore. On the page for this laptop, I get "No files or updates available for your device". Not even an archive of BIOS files. Went around the block with HP support on twitter and the only way to get the latest BIOS is to install the accursed HP Support Assistant. I did find an April 2024 BIOS available to install using that.

Assistant Download: https://support.hp.com/us-en/help/hp-su ... tant_cc/dt

Now according to the page linked below, my laptop SHOULD be able to install the new cert (any HP device made between 2018 and 2023 can be IF there is a BIOS released after 2023.

So far it has not auto installed via Windows Update, although it sounds like each cumulative security update every month this year will try to install it IF your BIOS supports it.

There are also instructions on this page to manually install it which I will try for fun.

HP PCs - Prepare for new Windows Secure Boot certificates
https://support.hp.com/us-en/document/i ... 3070429-16

Maybe they did this on purpose so you would have to purchase a new laptop/desktop.

What happens when the certificates expire?

If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.

As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot–dependent software may fail to load.

It’s important to note that devices running unsupported versions (Windows 10 and older, excluding those who have enrolled in Extended Security Updates) do not receive Windows updates and will not receive the new certificates. We continue to encourage customers to always use a supported version of Windows for best performance and protection. For more information, see Windows 11 Specs and System Requirements | Microsoft Windows and Windows 10 support has ended on October 14, 2025 – Microsoft Support.

https://blogs.windows.com/windowsexperi ... e-updates/

That last part is nonsense. My 2021 gaming PC is running Win10. It's never had Win11 installed, and it has gotten the updated certificate after I upgraded the BIOS. And no, I did not have extended Windows updates running on it until yesterday, although have had 0patch running on it since August (0patch did not, and cannot update the certificate).

Gee, I wonder if MS is trying to coax more users into installing Win11? MS could be a lot clearer about this.

Also, some experts I've been following have a concern that there are a lot of edge conditions that can cause the OS not to boot with the old cert installed after a certain date, possibly just Win10 but maybe 11 as well. The main issue is that newer drivers will be signed with the newer cert, and the OS with the old cert may not install them. All very confusing. I am trying to research this more while I'm working on my own PCs, and get some definitive answers.

There is a FAQ on this on most manufacturers websites. Just google, for instance "Asus Secure Boot Certificate" and you'll get their FAQ. I download the ones for Dell, HP, Asus and MSI last might but have not gone over them yet in any detail.

Most of them say the system SHOULD continue to boot. Sounds like installing newer versions of Windows might be problematic as the BIOS won't recognize the certificate, but there's no explanation if disabling Secure Boot would be a work around.

From MSI's FAQ:

Even after the original certificate expires, the system will still be able to boot into Windows normally. However, the following impacts may occur:

Security Updates Blocked: The system will no longer be able to receive security updates specifically for the Windows bootloader.

Reduced Startup Security: The system startup phase may become more vulnerable to low-level threats, such as bootkits or other pre-OS malware.

Recovery Limitations: If boot-related files become corrupted in the future, newer recovery media may fail to boot due to Secure Boot certificate mismatches detected by the BIOS.

So far this is what I THINK I've figured out:

- PC's should keep booting after June, without the new certificate installed but they will not recognize any new Windows Updates or drivers signed with the new cert.

- Bootable rescue media signed with the new cert won't boot unless you disable Secure Boot.

- Updating to a newer version of Windows will not be possible because Windows will not recognize the certificate in the newer installer.

- If you try to to a clean install to a newer version of Windows 11 will require disabling Secure Boot and using the TPM hardware bypass in RUFUS, otherwise the mobo won't recognize the newer cert in the installer. Once the new cert is installed you can turn it back on.

- If your PC has not already updated to the new cert after last month and this month's cumulative security update (you can check using that PowerShell script in the article I posted at the start of this), then your BIOS likely needs to be updated to a version released after 2023. The newer the better as some manufacturers may have taken their time. Then you need to wait for the next monthly cumulative security update to install the cert.

- There is a manual way to install the cert. I have found a page explaining the procedure but have not had time to play with it yet. I intend to upgrade the BIOS on my workstation and then try to manually install the cert to see how it works.

Fucking mess LOL. I'm on an old desktop that I built back in 2015 running windows 10 pro. I checked and mine came back as TRUE.

You're good then.

This may be a big nothing or an apocalypse, I honestly don't know, and the vague way MS is explaining all this makes it hard to know.

Update: My 5 year old Surface Pro 5 does qualify according to a FAQ on the MS site, and it's supposed to receive BIOS updates via Windows Update so I tried re-enabling Secure Boot and tested it again and now it says True.

I updated the Wife's 2021 HP laptop's BIOS using the awful HP Support app because they no longer archive updates for it on their web site. The newest BIOS is 2024 but there are no notes that confirm whether it supports the new certs. Going to just wait until next month's security update to see if it gets them.

Looked into to the manual process for installing the certs and it sound way too complicated and risky, so holding off on that.

FlyingPenguin wrote: ↑Wed Feb 18, 2026 10:24 am You're good then.

This may be a big nothing or an apocalypse, I honestly don't know, and the vague way MS is explaining all this makes it hard to know.

It almost sounds like the turn of the century with Y2K.

Followup: Got my Win10 file server updated. Went to the mobo manufacturer's website and found the last BIOS update from October last year, with a specific note saying it supported the Secure Boot certificate update.

Because I had disabled automatic Windows Updates back in September when I installed 0Patch, I noticed I had the October Cumulative security update in the queue, so after updating BIOS and enabling Secure Boot, I let the October update install, and it got the new certs.

Finally someone wrote an article that explains all this in detail, with a lot of nice background info:

Microsoft's Secure Boot certificates expire in June 2026, but older PCs may never get the fix:
https://www.xda-developers.com/microsof ... older-pcs/

I decided to check one of the used laptops that I'm selling: Dell Latitude 3340 2-in-1 with an i3 CPU and 8 GB ram. Laptop was released in 2015. I installed Windows 10 first, then upgraded to Windows 11.

After checking, it comes back as "FALSE".

Laptop has the latest BIOS A19 from Dell.

UEFI is selected in the BIOS along with Secure Boot. Does this mean I'm SOL?

Allow it to do the windows update this Tuesday. If it's still false, then yeah, it's cooked.

Well it's patch Tuesday, and I forced the March cumulative security update on both PCs. My wife's laptop, not surprisingly, did not get the new certs. It was a long shot since the newest BIOS for it dated from 2024.

I was more upset that my workstation didn't get it either, which is puzzling, since it has the same mobo, and same BIOS version installed (as of last month) as my gaming PC, which got the certs a few months ago.

So after diving deep down a rat hole, I found some instructions in the Asus Secure Boot Certificate Expiration FAQ here: https://www.asus.com/support/faq/1055903/

It suggests going into BIOS and clearing the Secure Boot keys after the BIOS update (I did not do that originally) and then restoring the default secure boot keys. So I did that today, and the certs are now installed. That FAQ also provided a way to actually see the list of all certs installed in the DB and KEK keys, and this is what mine looks like for the DB keys:



You can see the the two new 2023 keys at the bottom of the list, as well as the old 2011 keys.

While I'm glad I got it working, it's rather infuriating. I wish Microsoft would be clearer on how this works. Did the BIOS update install the new certs and it was just that I forgot to clear the old keys and reload them that prevented them from being loaded? Or did the BIOS update just allow the Windows Cumulative update to install the certs, but I needed to clear the old keys and reload them to bring those new keys in?

Everything I've read says the certs are installed by the cumulative update, assuming you update the BIOS to allow the update to install the certs. But then again, the original 2011 certs were installed by the mobo manufacturer, so there's no reason the BIOS update couldn't install the new certs. I mean the manufacturer certainly has the ability to install certs (they installed the original certs) and it's their mobo.

It would also be better for everyone if a BIOS update can install the certs because what happens to any mobos sitting on a shelf in a warehouse? Or any PC that doesn't get the certs before June? If the only way to get the new certs is via Windows Update, but after June any mobo with only the old 2011 certs can't get the newer Windows Updates signed with the new certs, then they'll be left behind.

I'm so confused.