Helping millions of people navigate the world of technology.

Why Check Your Secure Boot Certificate in Windows 11

Quick Tips
  • A green checkmark in the Windows Security app is the easiest way to confirm an updated certificate, while a yellow or red badge means your device needs attention.
  • Without an updated certificate, future boot components and security updates may fail Security Boot validation.
  • PCs built in 2024 or later typically ship with the updated certificates, so this mostly affects older hardware still running on the original 2011 chain.

You might’ve recently seen the news along the lines of “Microsoft warns Windows users about urgent Secure Boot Certificate update.” But what’s that all about? Well, as it turns out, if you have a relatively old PC and haven’t updated its firmware, now might be the time to start. Microsoft’s original 2011 Windows Secure Boot certificate is slowly going obsolete, with the first of them expiring in late June 2026. Here’s how to check where your PC stands and what to do if it needs an update.

What Is a Secure Boot Certificate, and Why Does It Matter?

Secure Boot is a firmware-level security feature built into UEFI, the modern replacement for the traditional BIOS. Its job is to make sure that only trusted, digitally signed software is allowed to run during startup, before Windows even loads. This blocks malware that tries to hijack a PC at the earliest possible stage, when traditional antivirus tools aren’t running.

To determine malware, Secure Boot relies on a set of certificate authorities (CAs). And like any digital certificate, these have expiration dates. Microsoft issued the original set in 2011, and after more than 15 years in service, they’ve reached the end of their planned lifecycle. The Microsoft Corporation KEK CA 2011 and Microsoft Corporation UEFI CA 2011 both expire on June 24–27, 2026, with the Windows Production PCA 2011 following in October 2026.

Notably, the replacement 2023 certificates were installed on newer devices, have been rolling out automatically, and are valid until 2053, so you don’t have to worry about Windows Secure Boot Certificate expiration for a long time.

Most PCs will actually work with old certificates. They might not receive updates if the new certificate chain isn’t installed, which can cause a lack of up-to-date firmware down the line. This may cause a few security issues or cause your BitLocker to repeatedly ask for the password if you’ve set it up.

How to Check if You Have an Old Windows 11 Secure Boot Certificate

Option 1 – Check the Windows Security App

This is the simplest method, and the one most people should start with.

Step 1. Open “Start” and search for “Windows Security,” then open it.

Step 2. Go to “Device security” from the left-hand menu.

Step 3. Look for the “Secure Boot” entry and check the badge color and accompanying message.

If you have the updated software, you should see a few badges here. Here’s what each means:

  • Green: Secure Boot is on, and all required certificate updates have been applied. No action needed.
  • Yellow: Your device is still running the older certificate, and the update is expected to arrive through Windows Update. It can also mean the update is blocked by a hardware or firmware limitation.
  • Red: A security update can’t be delivered to your device’s current configuration, and immediate attention is needed.

Option 2 – Check With PowerShell

If the Windows Security app doesn’t have the certificate status on your device, PowerShell gives you a direct answer.

Step 1. Open “Start,” search for PowerShell, and choose “Run as administrator.” This is also available by right-clicking on the Start button and selecting “Terminal (Admin).”

Step 2. Paste the following command and press “Enter.”

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

Step 3. Check the result: “True” means the 2023 certificate (valid until 2053) is already installed. “False” means you’re still running on the original certificate that starts expiring in June 2026.

Why Check Your Secure Boot Certificate in Windows 11 1

Option 3 – Check Event Viewer

If the former two options don’t yield results, the Event Viewer can show you where a device sits in the rollout process.

Step 1. Open “Start,” then go to “EventViewer.”

Step 2. Go to “Windows Logs” and then to “System.”

Step 3. On the right pane, click on “Filter current log.”

Why Check Your Secure Boot Certificate in Windows 11 2

Step 4. Click on the “Event sources” dropdown, type in the letter “T,” then scroll down to “TPM-WMI” and select it. Then, click “Ok” in the dialog.

Why Check Your Secure Boot Certificate in Windows 11 3

Step 5. Look for Event ID 1801 with a message like “BucketConfidenceLevel: Under Observation – More Data Needed.”

Why Check Your Secure Boot Certificate in Windows 11 4

This entry looks alarming, but it simply means Windows has downloaded and staged the new certificate inside the operating system but hasn’t yet written it to firmware – the rollout happens in two phases, and devices can sit at this stage for a while as Microsoft validates compatibility before activation.

How to Update Your Boot Certificate

For the vast majority of home users, the update happens automatically. If your check above showed an older certificate, run Windows Update and download the latest updates, then run it again. Alternatively, some devices need a firmware update from the manufacturer before the certificate update can apply cleanly.

For that, you need to visit the manufacturer’s support page and search for the latest BIOS/UEFI firmware update for your exact model, then install it.

If the Windows Security app tells you the update is “temporarily paused,” Microsoft might be holding back the rollout until a fix is ready. This just means you may need to wait a bit longer.

Last Resort – Contact Your Device Manufacturer

If your Secure Boot badge stays red, or the Windows Security app specifically says your device can’t receive the automated update due to hardware or firmware limitations, the fix has to come from the OEM. Reach out to your manufacturer’s support team, reference the Secure Boot certificate update, and ask whether a compatible firmware update is available for your model.

Was this helpful?

Thanks for your feedback!

Last updated on 04 July, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

The article above may contain affiliate links which help support Guiding Tech. The content remains unbiased and authentic and will never affect our editorial integrity.