Windows Secure Boot Certificates Expired June 24 — What York PC Owners Need to Check

A quiet but important security deadline passed yesterday: the original Secure Boot certificates that have protected Windows PCs since 2011 officially began expiring on June 24, 2026. Microsoft has been rolling out replacement 2023-dated certificates through Windows Update for months, but not every PC has received them — and machines that miss the transition will slowly lose access to future boot-level security protections.

What actually expired on June 24

Secure Boot is a firmware feature built into virtually every Windows PC sold since around 2012. It runs before Windows starts loading and verifies that the boot loader and early boot components are signed by a trusted party. That trust is established through cryptographic certificates baked into your motherboard firmware, and the current certificates were issued in 2011 and are now reaching expiration.

The Microsoft Corporation KEK CA 2011 certificate reached its expiration date on June 24, 2026, with the Microsoft UEFI CA 2011 following on June 27. Microsoft is replacing them with a new 2023-dated set of certificates that are valid until 2038.

Will your PC stop working? No — but the risk is real

This is the most important part to understand. An expired Secure Boot certificate does not automatically mean a Windows PC stops booting. Existing signatures do not simply evaporate into invalidity at dawn. Microsoft has been careful to frame the risk as a degraded security state, not universal boot failure.

The real problem is long-term. Microsoft warns that these unupdated endpoints will lose the ability to receive new security protections for the early boot process, effectively halting future updates to the Windows Boot Manager, Secure Boot databases, and critical vulnerability revocation lists. In plain English: your PC will keep running, but over time it will quietly fall behind on the protections that block bootkits and other low-level malware — the kind of infection that often requires a trip to a shop that handles deep malware cleanups because it survives normal antivirus scans.

How to check your PC in 30 seconds

Go to Windows Security > Device Security, and scroll a bit, and you will find the "Secure Boot" section. When it's a "green" check, you're good to go. It will state that Secure Boot is enabled and that all certificates are applied.

A green Secure Boot status in Windows Security is the desired consumer signal, while yellow or red should push users toward Windows Update, OEM firmware updates, and support guidance. If you see yellow or red, run Windows Update first. If that doesn't clear it, you may need a BIOS/firmware update from your PC manufacturer.

Windows 10 users that have not opted into the ESU, as well as a number of Windows 11 users not included in the initial Windows Update wave, may be required to manually apply a BIOS update in order to apply new Secure Boot certificates. Older laptops and desktops are the most likely to need that manual step, and on machines where the manufacturer no longer publishes firmware updates, this is where a local repair shop can help diagnose whether the hardware can still be brought current.

One important warning

Disabling Secure Boot is not a fix for certificate warnings; it trades a maintenance problem for a weaker boot-security posture. Some online guides will tell you to just turn Secure Boot off to make a warning go away — don't. You're removing one of the few defenses that protects your PC before Windows even loads.

What This Means for York, PA

If you're a York-area home user or small business and your Windows Security app is showing a yellow or red Secure Boot status after Windows Update has run, that's the signal to act. Bring the machine to our shop on Carlisle Rd and we can check certificate status, apply the right firmware update for your make and model, and confirm the PC is ready for the next decade of boot-level protections.