A 15-year-old piece of Windows security plumbing is about to expire, and most home and small-business PC owners have no idea. On June 24, 2026 — just over two weeks away — the original Microsoft Secure Boot certificates baked into virtually every Windows PC sold since 2012 begin to expire. Your computer won't suddenly stop working, but if it doesn't get the replacement certificates in time, it can quietly lose access to future boot-level security protections.
What's actually expiring
Secure Boot is a UEFI firmware feature that runs before Windows even starts loading. Its job is to verify that the boot loader and early startup components have been signed by a trusted party, so a bootkit or tampered loader can't take control of your PC before Windows wakes up. Stopping malware at this layer is one of the only reliable defenses against boot-level attacks like BlackLotus.
That trust is established through cryptographic certificates stored in your motherboard firmware. The current certificates were issued in 2011 and are now reaching expiration. The Microsoft Corporation KEK CA 2011 expires first on June 24, 2026. The Microsoft UEFI CA 2011 follows days later, with reporting and vendor material placing the date around June 27. The Microsoft Windows Production PCA 2011, the certificate associated with signing Windows boot manager components, reaches its more consequential deadline on October 19, 2026.
Microsoft is replacing them with new 2023-dated certificates, and according to Microsoft engineers speaking during a March 2026 AMA session, the new certificates are valid until 2038.
What happens if your PC misses the deadline
This is not a Y2K-style cliff. If the deadline arrives and your PC is still running on the 2011 certificates, Windows will still boot, Windows Update will still work, and your PC will continue functioning normally.
The damage is slower and quieter. If you haven't installed the new Secure Boot certificate, your PC won't be able to run the latest Windows Boot Manager. Consequently, Microsoft would no longer provide security updates for boot-critical binaries. In addition, your system may no longer receive new DBX blacklists, potentially leaving you exposed to future bootkit malware. You may also find that future Windows feature updates are no longer installable.
In other words, the machine keeps running today, but it slowly turns into a soft target — and eventually it stops getting Windows upgrades altogether. If a bootkit slips in later, you may need professional help to recover files from an infected drive.
How to check your PC in under a minute
In Windows Settings, go to Privacy & Security > Windows Security > Device Security to check your Secure Boot status. If you see a green circle with a white checkmark under "Secure Boot," everything is fine. Your PC is ready for the June 2026 deadline. If you see a yellow or red warning instead, you should read the further information provided.
The Secure Boot section shows a "fully updated" status with a green checkmark icon, a "Not yet updated" status with a yellow warning icon, or a "Requires action" status with a red stop icon.
For most people, no manual action is required. For most users, the needed updates will be delivered automatically through Windows Updates with no user action required. The new Secure Boot database update has been rolled out in phases to devices with Secure Boot enabled since 2024 and will automatically complete the device update before the certificate expires in June 2026.
Who's most at risk
Two groups should pay close attention. First, anyone running Windows 10. Windows 10 devices not in ESU won't get the new Secure Boot certificates. If you're still on Windows 10 and not enrolled in Microsoft's paid Extended Security Updates program, this update won't reach you.
Second, owners of older laptops and desktops. Some older devices may not transition cleanly. Your PC won't suddenly stop working, but over time it could miss important boot-level security protections without you realizing it. Some systems may need an OEM firmware update before they can accept the new certificates. If you have a laptop more than five or six years old and your manufacturer no longer ships BIOS updates, it may be time to think about a replacement — or at least an SSD and RAM upgrade if the rest of the hardware is still solid.
One more wrinkle to be aware of: the new certificate updates were automatically released to supported Windows 11 and active Windows 10 devices in Microsoft's ESU program starting April 2026. After the system update in April, it was noticed that some devices might experience one additional restart during installation. An extra reboot during a recent update is normal and not a sign of a problem.
What This Means for York, PA
If you're a York County home user or small business and you're still on Windows 10 without ESU, or running a laptop that hasn't seen a BIOS update in years, stop by York Computer Repair at 2069 Carlisle Rd and we'll check your Secure Boot status, confirm the 2023 certificates are applied, and flag any hardware that won't make the transition before the June 24 deadline.
Sources
- Your Windows PC has a security deadline in June 2026 (Malwarebytes)
- Microsoft reveals what happens to Windows 11 PCs if you ignore the Secure Boot deadline in June 2026 (Windows Latest)
- Your PC's trust in Windows has an expiration date (PCWorld)
- Is your Windows up to date? Microsoft issues deadline for Secure Boot certificate update (Cybernews)
- Secure Boot Certificate Updates: 2011 to 2023 Trust Change (Windows Forum)
- Windows Secure Boot certificate expiration and certificates updates (ASUS Support)