How to Update Secure Boot Certificates on Windows 11 as Microsoft Replaces Expiring Ones

The Importance of Secure Boot in Windows 11

In Windows 11, the Secure Boot feature plays a critical role in safeguarding the startup process against low-level malware. This is crucial as it prevents malicious software from tampering with essential system files before the operating system and antivirus solutions are active.

Secure Boot relies on a trusted process facilitated by the Unified Extensible Firmware Interface (UEFI) firmware, ensuring that only verified software from the manufacturer is used during launch. This protective measure is designed to combat threats such as bootkits and rootkits that aim to control your computer at its most fragile stage.

Upcoming Changes to Secure Boot Certificates

As part of Microsoft’s commitment to maintaining system integrity, the original Secure Boot certificates from 2011 are set to expire in June 2026. To address this, Microsoft has initiated a phased rollout of updated certificates valid until 2053, starting with the January 2026 Security Update.

Modern devices purchased in 2024 and beyond are likely to come equipped with the latest certificates. For earlier models, installations of these certificates are being distributed gradually via Windows Update. Users can also actively check and manage their certificate statuses, especially to ensure compliance prior to the expiration of the 2011 certificates.

Checking Your Secure Boot Certificate Status

Since Windows 11 does not provide direct notifications regarding the status of Secure Boot certificates, it is essential to manually verify if your device has the latest updates. You can do this by utilizing PowerShell, as follows:

[System. Text. Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

True: You have the updated 2023 certificate, which remains valid until 2053.
False: Your device still utilizes the 2011 certificates, which will expire in June 2026.

PowerShell check Secure Boot cert expiration / Image: Mauro Huculak

Understanding Certificate Expiration

All Secure Boot certificates are equipped with expiration dates, which is vital for maintaining security updates and ensuring correct booting processes. The following are key expiration dates for 2011 certificates:

Microsoft Corporation KEK CA 2011: June 24, 2026
Microsoft Corporation UEFI CA 2011: June 27, 2026
Microsoft Option ROM UEFI CA 2011: June 27, 2026
Microsoft Windows Production PCA 2011: October 19, 2026

Steps to Update Your Secure Boot Certificates

If your system is using outdated certificates, Microsoft and your device manufacturer will typically handle updates automatically through Windows Update. However, manual updates are also an option if you find your certificates nearing expiration.

To manually initiate the update, access PowerShell (admin) and execute:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

This command sets a registry key to prompt the deployment of required updates, including the PCA 2023-signed boot manager. The value 0x5944 signifies the full mitigation code for the updates.

Finalizing the Update Process

Post-update, your system typically requires two reboots for complete application. The first reboot applies the boot manager updates, while the second finalizes the inclusion of new certificates within the UEFI database.

Once rebooted, you can double-check the presence of the “UEFI CA 2023” using the following PowerShell command:

[System. Text. Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

True: Your system is now secured with the latest certificates.
False: If this returns false after repeated reboots, there may be compatibility issues with your motherboard firmware. Consult your manufacturer’s website for potential BIOS updates related to Secure Boot.

If you have BitLocker enabled, a temporary suspension of encryption may be needed for successful key writing. Utilize the command Suspend-BitLocker -MountPoint "C:"-RebootCount 2 as required.

Source & Images