Secure Boot certificates used by anti-cheat software are set to expire in June but new ones are already in the mail

Secure Boot is a security feature in Windows 11 that ensures your PC is running firmware that's legit, the real deal, to prevent malware and cheats. Unfortunately, the certificates it relies on to carry out this task are expiring in June this year, which has kicked Microsoft into action to start issuing replacements to PCs in need of them via Windows updates.

The latest security update, KB5074109, will start a process of checking whether a PC is using the expiring Secure Boot certificates (2011 CA) and provide the newer certificates (2023 CA) if so.

As Microsoft notes, many existing PCs have these newer certificates already. The CA 2011 certificates are the original Secure Boot certificates and Microsoft recommends OEMs ship the newer CA 2023 certificates with Windows 11 25H2 devices to prevent issues when the older certificates expire.

However, there may still be some machines without the latest certificates, and come June, Secure Boot can no longer be trusted to verify firmware modules if that's still the case.

"Many Windows PCs manufactured since 2024 already have the updated 2023 certificates" Microsoft says in a blog post. "For the remaining devices, Microsoft is delivering new Secure Boot certificates through Windows monthly updates, with partner original equipment manufacturers (OEMs) making firmware updates available to help ensure compatibility."

Secure Boot works by checking off software running at boot to ensure it matches certificate authorities (more simply understood as cryptographic keys). It checks drivers, pre-boot applications (EFI programs), bootloaders and the OS itself to ensure they've not been tampered with.

If you're wondering why you should care, Secure Boot is relied on heavily by many game studios' anti-cheat software, such as EA's Javelin, Epic's Easy Anti-Cheat, Activision's Ricochet, and Riot's Vanguard. Much to the chagrin of many gamers, I might add, as anti-cheat software has in the past been linked to system instability. There are also complaints that Secure Boot simply isn't effective, but it has received a thumbs up from many developers, including Battlefield 6's technical director, who told us last year that it was "hugely helpful" in tackling cheaters.

You can check which certificates you have on your machine by using Windows Powershell. Here's how Dell recommends you do so:

• Open Powershell as administrator
• Enter: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
• If your PC has the 2023 certificates, it will display 'True'
• If your PC does not have the 2023 certificates, it will display 'False' and you will need to receive the new certificates via Windows Update.

For the most part, you shouldn't need to do anything yourself. Either you have the new certificates already (quite likely) or you'll receive them soon enough via an automatic update. But it's good reminder to let your PC update regularly ahead of the June expiry date to avoid any blips.

Also if you don't have Secure Boot enabled or you're not sure, Steam will tell you in just a couple clicks.