Microsoft has issued a fresh warning this week about a June 2026 deadline that affects nearly every Windows 11 PC: the original Secure Boot certificates baked into your motherboard since 2011 are expiring, and computers that don't receive the new 2023 certificates in time will quietly stop getting critical boot-level security updates. The PC will still turn on — but its defenses against bootkit malware will slowly fall behind.
What Secure Boot is, in plain English
Secure Boot is a security standard developed by members of the PC industry to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When your PC starts, the firmware checks the cryptographic signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system's Boot Manager. In short, it's the first line of defense that stops malware from loading before Windows even starts.
The clock is ticking on one of the most fundamental security architectures inside your PC. In June 2026, the original Secure Boot certificates that have governed Windows hardware since 2011 will officially expire. To prevent millions of PCs from suddenly becoming vulnerable or failing to boot altogether, Microsoft is in the midst of a monumental, multi-year rollout of the new 2023 Secure Boot certificates.
What happens if you miss the deadline
The good news is your computer won't suddenly stop working. The bad news is what you lose isn't obvious from looking at the screen. If you ignore the June 2026 Secure Boot certificate deadline, your Windows 11 PCs will still boot and run normally, but your system security will permanently degrade because Microsoft will stop sending boot-critical updates and malware blacklists (DBX revocation lists).
That matters because bootkit and rootkit malware — the kind that hides below Windows and survives reinstalls — is exactly what those DBX revocation lists are designed to block. A PC missing the new certificates is a PC that won't get the latest 'do not trust this' list as new threats are discovered. If you start seeing unexplained slowdowns, strange behavior at startup, or pop-ups you can't get rid of, that's the kind of infection our malware cleanup service deals with — and it's much harder to fix on a system with degraded boot protections.
How to check your PC right now
You can check Secure Boot status in the Windows Security app. Open Start, type 'Windows Security,' click 'Device security,' then look under 'Secure boot.' If it says it's on, that's a good first step — but it doesn't tell you whether the new 2023 certificates have been applied yet.
Recent Windows updates have expanded high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout. Translation: Microsoft is pushing the new certificates out gradually, and not every PC is on the list yet. The best thing you can do today is make sure Windows Update has run successfully and your machine has rebooted recently.
With recent and upcoming Windows updates, a limited number of consumer and business devices might experience one additional restart during installation. This one-time restart occurs after a Secure Boot certificate update is applied as part of the Secure Boot update process. So if your Windows 11 machine reboots twice after an update over the next few weeks, that's expected — don't unplug it mid-process.
Who should pay extra attention
Because this transition directly manipulates the UEFI firmware on your motherboard, it is a highly delicate process. Older Windows 11 PCs, machines that have been offline for months, and computers where Windows Update has been disabled or failing are most at risk of missing the rollout window. Small business owners running a handful of Windows 11 workstations should make sure none of them have been sitting in a back office with updates paused.
If your PC is refusing updates, stuck on a restart loop, or showing UEFI/firmware errors at boot, that's exactly the kind of issue our desktop repair bench handles every week — and it's worth resolving before the June deadline rather than after. The same goes for laptops that won't complete updates because of failing storage or batteries that die mid-install; an SSD upgrade often makes the difference between an update that finishes cleanly and one that fails halfway through.
What This Means for York, PA
If you're a York County resident or small business owner running Windows 11 and you're not sure whether your PC is up to date on Secure Boot certificates, bring it by our shop on Carlisle Road and we'll check the firmware status, run the pending updates, and confirm everything is set before the June deadline. It's a quick walk-in check, not a major repair.