Microsoft's 2011 Secure Boot Certificates Begin Expiring — What It Means for Windows Users

Microsoft’s three core certificates underpinning the Windows Secure Boot mechanism are entering their expiration phase, with the first certificate reaching end-of-life on June 24, 2026. These certificates, issued in 2011, have served as the trust anchors for verifying the digital signatures of every firmware and software component during the PC boot process. The transition requires migrating the trust chain in system firmware from the 2011-era certificates to a new set issued in 2023.

Microsoft has been proactively pushing the Secure Boot 2023 certificate updates to all eligible Windows 11 and Windows 10 machines ahead of the deadline. If your PC received the June 2026 Patch Tuesday update, no manual action is required. “With this update, Windows quality updates include additional high-confidence device targeting data, expanding the coverage of devices eligible to automatically receive the new Secure Boot certificates,” Microsoft told Windows Latest. “Devices will only receive the new certificates after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.”

The expiration timeline, confirmed by Microsoft’s official documentation and hardware partners including Dell, follows three key dates:

• Microsoft Corporation KEK CA 2011 — expired June 24, 2026
• Microsoft UEFI CA 2011 — expiring June 27, 2026
• Microsoft Windows Production PCA 2011 — expiring October 19, 2026

For everyday users, the certificate expiry is not an immediate boot-breaking event. Devices relying on the old certificates will continue to power on and operate normally, and applications will not experience significant disruptions. Microsoft designed this deadline as a background infrastructure update rather than an abrupt kill switch.

The real danger lies downstream. If a device fails to complete the certificate migration, it will be cut off from receiving future boot-level security patches. Windows will stop updating the Windows Boot Manager, the Secure Boot signature database (DB), and the revocation blacklist (DBX) on un-migrated devices. This leaves hardware defenseless against specialized firmware-level bootkits such as BlackLotus — malware that infects the system before traditional antivirus software even loads.

Secure Boot was designed specifically to counter these boot-level threats, which load before the operating system and most other code, making them exceptionally difficult to detect and remove.

For the majority of users, the fix arrives silently through the monthly Windows Update channel. Windows automatically replaces the old certificates with new ones such as “Microsoft Corporation KEK 2K CA 2023.” New PCs manufactured from 2024 onward already ship with these updated keys pre-installed in the factory. Microsoft began including the capability to apply the Windows UEFI CA 2023 certificate to the Secure Boot allowed signature database (DB) in updates released on and after February 13, 2024.

However, older hardware and self-built PCs may encounter complications. Certain legacy motherboard architectures require a manual BIOS flash to accommodate the larger cryptographic key sizes demanded by the 2023 certificates. Technical observers also note that machines where users bypassed CPU or TPM hardware checks to install Windows 11 exhibit higher update failure rates. Microsoft has explicitly warned that certificates cannot be updated when Secure Boot is disabled.

Enterprise IT administrators are advised to verify update status through Intune monitoring reports and to test the rollout on representative hardware from each device model before broad deployment.

Users can check their device’s Secure Boot status by opening the Windows Security app, navigating to “Device Security,” and examining the status badge under “Secure Boot.” Alternatively, pressing Windows Key + R, typing msinfo32, and pressing Enter will display the “Secure Boot State” in the system information panel.