How To Check Windows 11 Secure Boot Certificates

A lot has been written about Microsoft Windows Secure Boot certificates expiring. But how do you check if your certificates are up to date?

What Is Secure Boot?

Secure Boot was first introduced in Windows 8. Secure Boot is a firmware-level security standard that ensures a computer boots using only trusted, digitally signed software, thereby preventing malicious code like rootkits or bootkits from loading before the operating system starts. It works by verifying the cryptographic signatures of UEFI firmware drivers, EFI applications, and the OS bootloader against a database of trusted keys stored in the system’s NVRAM; if a signature is invalid or missing, the firmware halts the boot process.

While the Secure Boot specification was created by the UEFI Forum and is an open industry standard, Windows 11 requires Secure Boot support and defaults to trusting Microsoft keys. Secure boot is not generally needed for Linux, but some Linux distributions (such as Ubuntu, Fedora, and Debian) support Secure Boot out of the box. If dual-booting Windows 11 and Linux, secure boot can be added.

So, What’s The Deal With Expired Certificates?

Windows 11 will still boot and run normally if Windows 11 Secure Boot certificates expire, but the system will enter a permanently degraded security state. The PC will continue to install regular Windows updates and operate as expected. But security protections will cease, Microsoft will stop sending boot-critical updates, including new versions of the Windows Boot Manager and DBX revocation lists, leaving the system exposed to future bootkit malware. Furthermore, there could be future compatibility risks because the system will lose the ability to install new Windows feature updates or run Secure Boot-dependent software, since it can no longer validate new cryptographic signatures. Microsoft explains more about this in this document.