Secure Boot changes in 2026
Overview
Microsoft has announced some time ago that the Secure Boot certificates that have been present on virtually all modern computers since 2011 will be replaced in the coming years, with important changes around june 2026.
Without any action, computers will generally continue to function as usual. However, the security of the boot process may become weaker over time. In the future, this could lead to situations where updates (such as Windows or Linux bootloaders) fail to start with Secure Boot enabled, if the new certificates are not present on the computer.
This page is intended for users who manage their own computer. Depending on your system, you may need to take action to ensure compatibility with future Secure Boot updates.
If you are using a Nikhef system managed by the CT department (you log in with your Nikhef account), no action is required on your part.
TL;DR
TL;DR
🟢 If you are using a Nikhef computer or laptop managed by the CT department (you log in with your Nikhef account), no action is required.
🛠️ If you manage your own system:
- 💻 Windows users: go to What should Windows users do?
- 🐧 Linux users: go to What should Linux users do?
For more background and technical details, continue reading below.
What is Secure Boot?
Secure Boot is a security feature in your computer that verifies whether everything loaded during startup is authentic and trusted. It ensures that your computer only starts trusted software and prevents malicious programs from hiding in the computer before the operating system loads.
Secure Boot uses digital keys stored in the computer’s firmware to determine what is allowed to start.
What exactly is expiring?
In June 2026, two important Microsoft certificates used in Secure Boot will expire.
These certificates allow the computer to determine which boot software is trusted.
The certificates are:
- Microsoft Windows Production PCA 2011
- Microsoft UEFI CA 2011
They are used to verify, among other things:
- That Windows is allowed to boot securely
- That Linux can boot securely (via Secure Boot)
- That the computer's bootloader has not been modified
Microsoft is replacing these old certificates with new versions from 2023. If computers are updated in time, you will not notice any difference.
What happens if I do nothing?
Important to know:
- Computers will continue to boot normally for now. However, future system updates or newer bootloaders may no longer be trusted if the updated Secure Boot certificates are not present.
- Existing operating systems will keep working as long as their bootloaders remain trusted by the current firmware database.
What are the potential consequences?
- Future OS upgrades may encounter compatibility issues
- Newer bootloaders may fail to start with Secure Boot enabled
- Secure Boot updates may fail or not be applied correctly
- Reduced protection against newly revoked or vulnerable bootloaders
- Over time, outdated Secure Boot databases may delay protection against newly discovered boot-level vulnerabilities
Which systems are most likely affected?
In general, systems from around 2012–2018 are most likely to require attention, especially if they no longer receive BIOS/UEFI firmware updates.
Systems from 2019 or newer are usually already updated or still supported by the manufacturer. However, it is still recommended to verify that the new Secure Boot certificates are present.
The key factor is whether your system still receives firmware (UEFI/BIOS) updates, not which version of Windows or Linux you are running.
What should Windows users do?
💡 Tip: If you prefer not to go through the manual steps below, you can use the automated check script instead.
Check whether Secure Boot is enabled
- Press
Win + R - Type
msinfo32and press Enter - Check the following values:
- Secure Boot State (should be On)
- BIOS Mode (should be UEFI )
Alternatively, you can use PowerShell:
Situation 1: Secure Boot is disabled (result is false)
If Secure Boot is disabled, no immediate action is required regarding this certificate transition.
However, this also means that Secure Boot protections are not active on your system.
Note
Disabling Secure Boot is not recommended as a workaround for certificate-related issues, as it reduces protection against boot-level threats.
Situation 2: Secure Boot is enabled (result is true)
We understand that the following explanation is quite technical. However, this level of detail is necessary to accurately verify whether your computer has been updated.
If Secure Boot is enabled, check whether the new certificates are already present in your system firmware.
- Click Start
- Type:
PowerShell - Right-click Windows PowerShell
- Choose Run as administrator
- Copy and paste this command and press Enter:
$dbAscii = [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes)
$kekAscii = [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).Bytes)
$dbAscii -match 'Windows UEFI CA 2023'
$dbAscii -match 'Microsoft UEFI CA 2023'
$dbAscii -match 'Microsoft Option ROM UEFI CA 2023'
$kekAscii -match 'Microsoft Corporation KEK 2K CA 2023'
What does the result mean?
The commands return True or False for each check:
True= the certificate name was found in the firmware databaseFalse= the certificate name was not found
Expected output (system is fully updated)
If your system is fully updated for the 2023 Secure Boot certificate transition, you should see:
- Windows UEFI CA 2023 →
True - Microsoft UEFI CA 2023 →
True - Microsoft Option ROM UEFI CA 2023 →
True - Microsoft Corporation KEK 2K CA 2023 →
True
✅ Meaning: Your firmware contains the updated 2023 certificates in the db (allowed signatures database) and the updated 2023 KEK (Key Exchange Key). No action is required.
Common alternative outcomes
Outcome A - db is updated, but KEK is NOT (partial update)
Example:
- Windows UEFI CA 2023 →
True - Microsoft UEFI CA 2023 →
True - Microsoft Option ROM UEFI CA 2023 →
True - Microsoft Corporation KEK 2K CA 2023 →
False
⚠️ Meaning: The Secure Boot allowed signatures database (db) is up to date, so the system will typically boot without issues. However, the Secure Boot key transition is not complete because the KEK is still using the 2011 keyset. Future Secure Boot database updates may require the 2023 KEK.
✅ What to do: Keep BIOS/UEFI firmware and Windows updates up to date. No immediate action is needed.
Outcome B - db is NOT updated (missing 2023 certificates)
Example (one or more of these are False):
- Windows UEFI CA 2023 →
False - Microsoft UEFI CA 2023 →
False - Microsoft Option ROM UEFI CA 2023 →
False
⚠️ Meaning: Your firmware db (allowed signatures database) is missing one or more 2023 trust anchors. If Secure Boot is enabled, future bootloaders signed only with the new 2023 certificates may fail to start.
✅ What to do: Update your system firmware (BIOS/UEFI) and install all available Windows updates. If your hardware vendor (Dell, Lenovo, Asus etc.) provides a “Secure Boot DB/KEK update” package, install it as well.
Outcome C - Everything is false
If all checks return False, one of the following is likely:
- Secure Boot is actually disabled (re-check with
Confirm-SecureBootUEFI) - The system uses a non-standard/custom Secure Boot configuration
- The PowerShell session is not elevated (not running as Administrator)
- The platform does not expose Secure Boot variables via Windows (rare, but possible)
✅ What to do: Re-check Secure Boot status:
Ensure PowerShell is running as Administrator and repeat the checks.
▶️ Optional: Run the automated check script
If you prefer not to manually enter all commands, or find the steps too technical, you can use the script below to perform the checks automatically.
- Download secureboot-check.ps1 or copy the script and save it as a
.ps1file (for example:secureboot-check.ps1) - Right-click the file
- Select “Run with PowerShell”
(or run it from an elevated PowerShell session — “Run as Administrator” is recommended)
⚠️ If you receive a warning about script execution, you may need to allow local scripts temporarily or run the script from an Administrator PowerShell window.
If you contact the helpdesk about the outcome of the script, please send the output with it.
Does this also affect Linux?
Short answer
Yes, this can also affect Linux systems, but only if Secure Boot is enabled.
Why?
When Secure Boot is enabled, Linux typically uses a small intermediary program (often called a shim) to boot securely. This program is signed by Microsoft so that the system firmware trusts it.
Because Microsoft is transitioning away from the older Secure Boot certificates used since 2011, it is possible that:
- New Linux bootloaders or updates are no longer recognized as trusted
- Linux may fail to boot with Secure Boot enabled
- Secure Boot-related updates (such as revocation updates) may not be applied correctly
When is there no problem for Linux?
In most cases, there is no issue if one of the following applies:
- Secure Boot is disabled
- Linux and the bootloader (e.g. shim/GRUB) are regularly updated
- The system firmware (BIOS/UEFI) is recent and includes the newer Microsoft certificates
When is extra attention needed?
Additional checks are recommended in the following situations:
- Older systems with no available BIOS/UEFI updates
- Linux systems that rarely or never receive updates (e.g., offline machines)
- Systems where updates are intentionally restricted
What should Linux users do?
Important for Linux users
Due to the wide variety of Linux distributions, bootloaders, and hardware configurations, it is not possible to provide exact steps for every situation.
The instructions below serve as a general guideline, but depending on your system (distribution, firmware, Secure Boot configuration), additional steps may be required.
Linux users are expected to determine, if necessary, the appropriate approach for their specific environment. Please consult the documentation of your distribution or hardware vendor (Dell, Lenovo, Asus, etc.).
If you are unsure or run into issues, please contact the helpdesk.
Check whether Secure Boot is enabled
Open a terminal and run:
orIf it returns SecureBoot enabled, Secure Boot is active → continue to the next step.
If it returns SecureBoot disabled, Secure Boot is disabled and no action is required.
Does my system have the new certificates?
If your system normally receives updates, the required certificates may be updated automatically via firmware updates (fwupd/LVFS) or through your OEM, depending on vendor (Dell, Lenovo, Asus etc.) support.
Check whether the Microsoft certificates are present:
If the output includes entries similar to the example below (the presence of Windows UEFI CA 2023 is especially important), this is a strong indication that the system is up to date.
Note: The presence of these certificates is a strong indication that the system is updated, but exact behavior may vary depending on firmware implementation and vendor (Dell, Lenovo, Asus etc.) support.
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
URI: http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
CA Issuers - URI: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
URI: http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
CA Issuers - URI: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
🔽 If not, follow the steps below.
Check for firmware updates and install them
Install available updates:
Follow the on-screen instructions. For UEFI updates, the system will usually need to reboot to apply the update.
After rebooting, verify again:
If the certificates are still missing:
- Contact the helpdesk so we can see how we can assist you
- Or check yourself whether the system is still supported by the manufacturer