On June 24, a foundational layer of security protecting millions of Windows 10 PCs expired, forcing Microsoft to accelerate an automated certificate-renewal push that same day. The Secure Boot certificates that verify the digital signature of bootloaders and other pre‑OS components reached their planned end of life, potentially leaving older machines unable to boot with Secure Boot enabled or to load future operating system features that depend on newer signing keys.

The Certificate Expiry Breakdown

Secure Boot, baked into the UEFI firmware of modern PCs, relies on a chain of digital certificates to ensure that only trusted code runs during startup. When a certificate expires, any component signed by it may be rejected—a safeguard designed to prevent malware from exploiting outdated, compromised signatures.

On June 24, the Windows Production PCA 2011 certificate—one of the key certificates issued by Microsoft to sign third‑party and Microsoft‑authored boot code—reached its expiration date. Simultaneously, another widely distributed certificate, the Microsoft Corporation UEFI CA 2011, also expired, according to Microsoft’s Secure Boot documentation. These events had been on the industry’s radar for years, but the deadline still caught many users and administrators off guard.

In response, Microsoft widened its automatic certificate‑upgrade effort, a program originally launched in late 2023 to proactively seed a new Windows UEFI CA 2023 certificate into system firmware via Windows Update. The upgrade path relies on a servicing stack update (SSU) or cumulative update that pushes the fresh certificate into the firmware’s Secure Boot database, sometimes accompanied by a revocation list update that blocks old, vulnerable bootloaders.

What It Means for You

The practical impact depends on how your PC is configured and how old it is.

For everyday users

If you keep Windows Update enabled and have installed all recent patches, you may already have the new certificate. However, some older machines—particularly those running Windows 10 on hardware that originally shipped with Windows 7 or 8—may not receive the firmware‑level update automatically. In those cases, you could eventually run into two scenarios:

  • Boot failures: After a future OS reinstallation or major Windows update that touches the bootloader, the PC might refuse to start if the old certificate’s signature is no longer accepted.
  • Driver and feature blocks: Components that undergo signing‑key renewal (such as anti‑cheat software or virtualization drivers) may stop loading, causing application failures or system instability.

For IT administrators

Organizations managing fleets of Windows 10 devices need to audit their hardware. Systems that fall outside the automatic certificate‑upgrade roll‑out—often those with older UEFI revisions—will require a manual firmware update from the OEM to inject the 2023 certificate. Microsoft’s deployment tools (WSUS, Configuration Manager) can push the relevant update, but the firmware must be compatible. Some systems from 2015 and earlier lack the necessary capsule‑based update mechanism and will remain stuck on the expiring certificates.

For developers and power users

If you dual‑boot Linux or run custom bootloaders, be aware that the renewed certificate may trigger Secure Boot policy changes. Third‑party boot entries might need to be re‑signed, and any custom key databases (MOKs) should be reviewed for compatibility with the new certificate authority.

How We Got Here

The Secure Boot certificate expiry isn’t a surprise; it’s the culmination of a multi‑year ecosystem challenge. Certificate lifetimes are intentionally limited to mitigate long‑term compromise risks. In 2019, Microsoft updated its driver signing policy, and by 2021, the first wave of Secure Boot certificates was nearing expiration.

A turning point came in August 2022, when a critical vulnerability (BlackLotus) exploited a known weak bootloader, triggering an emergency revocation process. That event underscored the dangers of leaving expired certificates in the trusted store and accelerated Microsoft’s plans to refresh the entire certificate stack. Starting in early 2023, the company began deploying KB4524244‑style updates to revoke vulnerable bootloaders, but those early attempts were bumpy, causing system freezes and rollback. The experience taught Microsoft to phase the rollout and to combine certificate revocation with an automatic installation of replacement certificates.

In September 2023, Microsoft released the Windows UEFI CA 2023 certificate and began seeding it via a servicing stack update (KB5031539 on Windows 11, a later backport on Windows 10). The deployment was gradual, targeting newer hardware first. The June 24 deadline forced an expansion to a broader set of devices, including many that had not yet been offered the update.

What to Do Now

Check whether your system has received the new certificate and take action if it hasn’t.

  1. Verify installed certificates: Open msinfo32 and look under System Summary for a line like “Secure Boot State.” If it says “On,” your firmware is using Secure Boot. Then, from an administrator PowerShell, run:
    Get-SecureBootUEFI -Name db and examine the output for Windows UEFI CA 2023. If you don’t see it, your firmware likely hasn’t been updated.
  2. Install the latest cumulative update: For Windows 10 22H2, ensure you have at least the June 2024 cumulative update (KB5039211 or later). These updates contain the servicing stack that triggers the certificate injection during reboot.
  3. Manually apply the certificate update: If Windows Update doesn’t offer it, download the standalone KB5031539 package (available from the Microsoft Update Catalog) and install it. This is the same update that carries the 2023 certificate, though on some older builds it may require a separate firmware compatibility check.
  4. Check your OEM’s support page: Dell, HP, Lenovo, and others have released firmware patches that embed the 2023 certificate directly. Search your model’s driver download page for a “UEFI Security Update” or “Secure Boot Certificate Update” dated in 2023 or 2024.
  5. Consider your upgrade timeline: If your hardware is no longer supported by the OEM and cannot receive the new certificate, you have two choices: disable Secure Boot (which weakens your pre‑boot security) or plan a migration to a Windows 11‑capable machine that natively trusts the new certificate.

For enterprise environments, Microsoft provides an out‑of‑band Group Policy to control certificate rollout timing and to audit compliance via Windows Defender for Endpoint or Microsoft Intune. The policy can delay the automatic update for up to 365 days, but after that grace period, the revocation of the old certificates becomes mandatory.

Outlook

Microsoft has signaled that this certificate renewal is a stepping stone toward stricter Secure Boot enforcement in upcoming Windows 11 releases and the eventual end of life of Windows 10 in October 2025. As more components migrate to the 2023 signing keys, devices that remain stuck on the 2011 trust chain will increasingly face compatibility hurdles—not just during boot, but also in everyday operations that depend on signed kernel drivers.

The next milestone to watch is the forced revocation of the now‑expired 2011 certificates, which Microsoft expects to push in early 2026 via a broader DBX (forbidden signatures database) update. When that happens, any system that hasn’t installed the 2023 certificate will find its bootloader blocked, effectively bricking the OS installation until Secure Boot is disabled or the firmware is patched.

For Windows 10 users on aging hardware, the clock is ticking. The June 24 expiry is a wake‑up call to verify your device’s Secure Boot health and to ensure you’re not overlooking a critical, if somewhat silent, firmware update that may already be waiting on your system.