Secure Boot Certificates Are Expiring: How to Use the New Windows Warning Correctly | 2026 Update Guide

If you’ve spotted a small but noticeable alert in your Windows Settings over the past few days, you’re not alone. Microsoft is turning up the heat, but luckily in a helpful way. It’s all about the often-misunderstood Secure Boot. More specifically: the certificates that tell your PC which drivers and bootloaders are trustworthy. These certificates have an expiration date, and for many systems that date is now dangerously close. If you don’t act in time, you could suddenly be staring at a black screen – or worse: a PC that refuses to start Windows.

Why is Windows suddenly warning so loudly?

In the past, you’d only get critical alerts like this hidden in the Event Log – or not at all. With the latest updates (which are now pretty much mandatory for both Windows 11 and 10), Microsoft is changing the rules. The system now proactively tells you: “Hey, your Secure Boot certificates need attention.” The message doesn’t pop up as an annoying ad; it’s neatly integrated into the Windows Security Center. This might sound like a small thing, but it’s actually a huge step forward. Because many users didn’t even know whether their Secure Boot was active in the first place – let alone that the underlying keys become invalid after a few years.

The certificates Microsoft has been shipping since Windows 8 are approaching their end of life. Specifically: older Secure Boot databases (the so-called “db” and “KEK” entries) will no longer be valid after a certain date. Your PC would then block foreign bootloaders or updated hardware drivers – and worst of all, that could happen right after a major Windows update. So the new warning is your lifeline. It appears before disaster strikes and gives you a clear Secure Boot Guide instruction: “Update your BIOS/UEFI now or install the latest cumulative update.”

How to run a Secure Boot Review on your PC

Don’t want to wait for the automatic warning? No problem. Running a manual Secure Boot review is quick and easy. Follow this checklist to make sure your system boots cleanly even after the certificates expire:

• Open System Information: Press Win + R, type msinfo32, and hit Enter. Under “Secure Boot State,” it should say “On.” If it says “Off” or “Supported but disabled,” reboot into UEFI-BIOS (usually by pressing F2 or Delete during startup) and enable the option.
• Check Windows Update: Go to “Settings” > “Windows Update” > “Advanced options” > “Optional updates.” There you’ll often find separate firmware updates that include exactly these certificate renewals. Install anything that mentions “Secure Boot” or “UEFI revocation.”
• Use manufacturer tools: Dell, Lenovo, HP, and others offer their own update assistants. Download the latest BIOS/UEFI image – many devices from 2020 or 2021 already ship with the extended certificates. For older models (2016–2019), you’ll want to pay especially close attention.

After a reboot, run the check in msinfo32 again. If the status still says “On” and no warning message appears, you’re safe. But if you see an error (e.g., “Secure Boot revocation failed”), manually resetting the Secure Boot keys to factory defaults often helps – you’ll find that in the UEFI menu under “Secure Boot > Reset to Setup Mode.”

How to use Secure Boot properly – without panic

Many people wonder: “Do I really need to learn how to use Secure Boot? Isn’t regular Windows Defender enough?” Short answer: No. Secure Boot is your first line of defense against rootkits and bootkits – that is, malware that loads even before the operating system. Even if you accidentally plug in an infected USB stick, a properly configured Secure Boot will prevent the malware from hijacking your boot process. Microsoft’s new warning policy isn’t forcing you into complicated maneuvers; it’s giving you a friendly kick in the pants: “Just do it now.”

For power users running dual-boot setups with Linux or other operating systems, the certificate expiration can be annoying. In that case, you’ll either need to manually enroll the new Microsoft keys into your own Secure Boot database (using mokutil on Linux) or temporarily disable Secure Boot – though I only recommend that as a short-term fix. The clean way is: switch to a current distribution that already signs with the fresh Microsoft certificates (Ubuntu 24.04 LTS or Fedora 40+ do this automatically).

One thing is clear: the era of silent certificate expirations is over. Microsoft has finally realized that security shouldn’t be a hidden expert-only discipline. If you see that yellow info box in your Windows Settings over the next few weeks, don’t ignore it. Open it, click “Show details,” and follow the wizard. In most cases, a single reboot followed by an update is all it takes. Your future self – the one who won’t suddenly be staring at a non-booting PC – will thank you.