How To Windows

How to Check and Update Windows Secure Boot Certificates Expiring in 2026

By Raj Bepari 3 min read
Recommended: Download Windows Speedup Tool to quickly fix PC issues.

Secure Boot is a critical security feature in Windows 11 that helps protect your system from unauthorized or malicious bootloaders during startup. It works by ensuring that only trusted, signed software is allowed to run during the boot process. However, like all digital certificates, Secure Boot certificates have expiration dates, and some are set to expire in 2026.

If these certificates are not updated in time, your system may face boot issues, compatibility problems, or reduced security protections. Microsoft has already provided updates to refresh these certificates, but users need to ensure their systems are properly updated and configured to avoid any disruptions.

In this guide, we’ll walk you through how to check and update Windows Secure Boot certificates that are expiring in 2026, ensuring your system remains secure and fully functional.

How to Check and Update Windows Secure Boot Certificates Expiring in 2026

Before proceeding, it’s important to understand that Secure Boot certificates are updated through Windows Updates and firmware (UEFI/BIOS) updates. You typically don’t need to manually install certificates, but you do need to verify that your system is receiving the latest updates and that Secure Boot is properly enabled. The steps below will help you ensure everything is configured correctly.

1. Check if Secure Boot is Enabled

First, confirm whether Secure Boot is enabled on your system.

  1. Press Windows + R, type msinfo32, and press Enter.
  2. In the System Information window, locate Secure Boot State.
  3. Check if it shows On.

If Secure Boot is disabled, certificate updates may not apply properly.

2. Verify Current Secure Boot Database (DB) Status

You can check if your system is using updated Secure Boot databases.

  1. Open PowerShell as administrator.
  2. Run the command:
    Confirm-SecureBootUEFI
  3. Check the output to confirm Secure Boot status.

This helps verify whether Secure Boot is active and functioning.

3. Install Latest Windows Updates

Microsoft distributes updated Secure Boot certificates through Windows Update.

  1. Press Windows + I to open Settings.
  2. Go to Windows Update.
  3. Click Check for updates.
  4. Install all available updates.
  5. Restart your PC after installation.

Keeping Windows updated ensures you receive the latest security certificates.

4. Update Your System Firmware (UEFI/BIOS)

Firmware updates may include updated Secure Boot keys and certificates.

  1. Visit your device or motherboard manufacturer’s website.
  2. Download the latest BIOS/UEFI update for your model.
  3. Follow the official instructions to install the update.
  4. Restart your system after completion.

Firmware updates are essential for maintaining Secure Boot compatibility.

5. Check Optional Updates in Windows Update

Some Secure Boot-related updates may appear as optional updates.

  1. Open Settings > Windows Update.
  2. Click on Advanced options.
  3. Select Optional updates.
  4. Install any available firmware or security updates.

These updates may include certificate-related improvements.

6. Ensure Secure Boot Keys Are Updated

In some cases, Secure Boot keys may need to be refreshed via firmware settings.

  1. Restart your PC and enter BIOS/UEFI settings (F2, DEL, or ESC).
  2. Navigate to the Secure Boot section.
  3. Look for options like Restore Factory Keys or Install Default Keys.
  4. Apply changes and save settings.

This ensures your system uses the latest trusted keys.

7. Check Event Viewer for Secure Boot Logs

Event Viewer can provide insights into Secure Boot-related updates and errors.

  1. Press Windows + X and select Event Viewer.
  2. Navigate to Windows Logs > System.
  3. Look for entries related to Secure Boot or UEFI.
  4. Review logs for any warnings or errors.

This helps identify issues with certificate updates.

8. Use Microsoft Guidance for Secure Boot Updates

Microsoft may release specific guidance or tools for certificate updates.

  1. Visit the official Microsoft support website.
  2. Search for Secure Boot certificate updates or advisories.
  3. Follow recommended steps or install provided updates.

Staying informed ensures you don’t miss critical updates.

9. Restart and Verify Changes

After applying updates, confirm that everything is working correctly.

  1. Restart your PC.
  2. Open System Information again (msinfo32).
  3. Verify that Secure Boot State is still On.
  4. Ensure your system boots without errors.

Verification ensures that updates have been applied successfully.

Conclusion

Secure Boot certificates expiring in 2026 are an important consideration for maintaining system security and stability in Windows 11. While the update process is largely handled automatically through Windows Update and firmware updates, it’s essential to verify that your system is properly configured and up to date.

By following the steps outlined in this guide, you can ensure that your Secure Boot certificates are updated in time, preventing potential boot issues and maintaining a secure computing environment. Keeping both your operating system and firmware updated will help you stay protected against evolving security threats.

Raj Bepari

I’m a digital content creator passionate about everything tech.