On June 24, 2026, the Secure Boot certificate that millions of Windows PCs rely on to verify boot components will expire. This isn't just another Y2K scare or routine patch Tuesday—it's a fundamental change to the trust chain that decides whether your computer actually starts when you press the power button. If you've been ignoring those persistent "firmware update" notifications, now is the time to pay attention.

What Is Secure Boot, and Why Does a Certificate Expiration Matter?

Secure Boot is a security standard built into the Unified Extensible Firmware Interface (UEFI)—the modern replacement for the old BIOS. Before Windows even begins to load, Secure Boot checks the digital signature of every piece of boot software against a database of certificates stored in your PC's firmware. Only code signed by a trusted authority runs. The star of the show is the Microsoft Windows Production PCA 2011 certificate, a root-of-trust that has been validating bootloaders, drivers, and OS components since Windows 8 debuted in 2012.

That certificate is set to expire on June 24, 2026. When a certificate expires, UEFI firmware that validates certificate lifetimes may reject any software signed with it—including Windows Boot Manager. The practical result: your PC could get stuck in a boot loop, throw a BitLocker recovery prompt, or simply refuse to start. Not every system enforces certificate expiration dates in exactly the same way, but Microsoft and OEMs are treating this as a hard deadline because once revocation updates ship, expired signatures will be blocked outright.

The Certificate in Question: Microsoft Windows Production PCA 2011

To understand the scope, you need to know which certificate is expiring. It's the "Microsoft Windows Production PCA 2011" with thumbprint 61 03 2f 9a 85 5e 14 ae 0e 6e 18 1c 1d e2 3a 9c b4 3d 80 63. This certificate sits in the Secure Boot "db" (signature database) on virtually every UEFI-based Windows PC sold in the last decade. It validates the boot manager, the OS loader, and any third-party UEFI drivers that have been signed by Microsoft.

Microsoft has already created a replacement certificate—often referred to as "Microsoft Windows UEFI CA 2023" or a similar name—and has been rolling it out through both Windows Update and OEM firmware updates. The new certificate has a validity period extending well into the 2030s, ensuring that systems updated before June 2026 can continue to boot without interruption.

What Microsoft Is Doing: A Multi-Year Rollout

This isn't a sudden emergency. Microsoft started laying the groundwork in 2022, and the process has accelerated with a series of updates that modify the UEFI Secure Boot configuration.

In July 2023, Microsoft released KB5025885, a critical update that introduced a new Secure Boot certificate to the firmware's signature database and set the stage to revoke older, vulnerable boot managers. This update added the new CA certificate to the "db" and placed the expiring certificate on a path to eventual revocation through the "dbx" (revocation list). Since then, a series of monthly security updates have refreshed the revocation list, blacklisting boot components with known vulnerabilities like BlackLotus.

A subsequent update, often packaged within cumulative updates for Windows 10 (version 22H2) and Windows 11 (all versions), ensures that the new certificate is fully trusted. For example, KB5034161 and later cumulative updates include the Secure Boot database changes. The exact KB number depends on your Windows edition and patch level, but if you've kept Windows Update active, you likely already have the new certificate onboard.

Microsoft has also worked with OEMs—Dell, HP, Lenovo, ASUS, Acer, and others—to push UEFI firmware updates that embed the new certificate directly into the SPI flash. These updates are often delivered through Windows Update as "Firmware" entries, but some older motherboards may require manual installation from the vendor's support site.

Who Is Affected—and Who Isn't

Not every Windows PC is in the danger zone. Here's a quick breakdown:

  • Affected: Any UEFI-based system running Windows 8, 8.1, 10, or 11 with Secure Boot enabled and using the original 2011 certificate. This includes most consumer laptops, desktops, and tablets sold since 2012. Custom-built PCs with Secure Boot enabled are equally at risk if the motherboard firmware hasn't been updated.
  • Not affected: Legacy BIOS systems (no Secure Boot at all), systems where Secure Boot is intentionally disabled, and those that have already received a full firmware update containing the replacement certificate. Virtual machines typically rely on host-host-provided Secure Boot certificates, so they'll inherit whatever the hypervisor uses.
  • Dual-boot caution: If you run Linux alongside Windows, the Linux bootloader (e.g., GRUB) is often signed by Microsoft's CA. Those signatures will also be considered expired after June 2026 unless the distribution ships an updated signed binary. Distributions like Ubuntu and Fedora have been preparing, but users should ensure they're running the latest bootloader updates.

What Happens If You Do Nothing?

Let's paint the worst-case scenario. It's June 25, 2026. Your Windows PC has just received the final Secure Boot revocation update—the one that explicitly revokes the expired 2011 certificate. The UEFI firmware checks the signature database, sees that the certificate used to sign Windows Boot Manager is no longer valid, and halts the boot process.

You'll likely see one of these behaviors:
- A plain text message saying "Boot Device Not Found" or "Secure Boot Violation."
- A BitLocker recovery screen demanding a 48-digit recovery key.
- An automatic repair loop that never resolves.

Recovery isn't impossible—you can often disable Secure Boot in the UEFI settings to regain access, but that disarms a major security boundary and may leave you vulnerable to bootkits. Enterprises with BitLocker-encrypted drives could face wide-scale helpdesk calls and data access challenges if recovery keys aren't readily available.

What Users Need to Do Now

The good news: you have time, and the steps aren't complicated. The bad news: some of these steps require manual intervention, especially on older hardware.

1. Install all pending Windows updates, including optional ones

Open Settings → Windows Update, and click "Check for updates." Install everything listed. If you see an optional update with "Secure Boot" or "DBX" in the description, install it. Many of the critical Secure Boot database updates are classified as "Security" or "Critical" updates, so they should be offered automatically. On Windows 10, make sure you're on at least version 22H2 with the latest cumulative update. On Windows 11, any supported version (22H2, 23H2, 24H2) will do, as long as updates are current.

2. Check for firmware updates from your OEM

Some PCs require a firmware (UEFI/BIOS) update to permanently store the new certificate. Visit your PC manufacturer's support website—Dell SupportAssist, HP Support Assistant, Lenovo Vantage, or the ASUS support page—and scan for updates. Look for any that mention "Secure Boot," "UEFI," or "Certificate update." If you built your own PC, check the motherboard vendor's site for the latest UEFI firmware dated 2024 or later.

3. Verify the new certificate is present

You can confirm whether your system trusts the replacement certificate using Windows PowerShell. Open an elevated PowerShell prompt and run:

Get-SecureBootUEFI -Name db | Format-List

This dumps the signature database. Look for an entry with the subject "Microsoft Windows UEFI CA" issued after 2022. If you see it, you're in good shape. If not, you need to escalate firmware or update installations.

4. For IT administrators

If you manage a fleet, this is a high-priority project. Use tools like Microsoft Intune, WSUS, or ConfigMgr to audit which devices have the new certificate. You can also deploy a custom script that checks the Secure Boot configuration. Test updates on a representative sample of hardware models before broad rollout. Ensure your BitLocker recovery key escrow is working—this is your safety net if something goes wrong.

5. Consider disabling Secure Boot as a last resort

If your hardware vendor has abandoned your device and you can't find a firmware update, you may have to disable Secure Boot entirely. This will allow the PC to boot after the revocation takes effect, but it significantly reduces pre-boot security. Only do this if you fully understand the trade-offs, and consider upgrading to a supported PC instead.

Timeline and Key Dates

Microsoft has not published a public document with a step-by-step timeline, but the cadence has been clear from the update releases:

  • Mid‑2023: Initial Secure Boot DB update (KB5025885) adds replacement certificate and prepares revocation path.
  • Late‑2023 through 2025: Monthly cumulative updates continue to refresh the revocation list and distribute the new certificate to more devices.
  • Early‑2026: Expected final push to revoke the expiring certificate via the DBX. Some users may see revocation warnings in Windows Defender System Guard if their firmware is not updated.
  • June 24, 2026: The Microsoft Windows Production PCA 2011 certificate expires. Systems that have not added the replacement certificate and are still using the expired one for boot validation will be unable to boot after the DBX revocation is applied.

What About Windows 10 End of Support?

Windows 10 reaches end of support on October 14, 2025—less than a year before the certificate expiration. You might wonder if this is just another reason to upgrade to Windows 11. The Secure Boot certificate issue is independent of the OS version: Windows 10 PCs that remain in use after October 2025 will face the same UEFI expiration if they're not updated. So if you plan to keep a Windows 10 machine past its support date (perhaps as an air-gapped system or with a paid Extended Security Updates license), you absolutely must still apply the firmware and Windows updates needed to trust the new certificate.

Common Myths and Misconceptions

“My PC is old, so it doesn't use Secure Boot.” If it shipped with Windows 8 or later, it almost certainly has UEFI and Secure Boot-capable firmware, even if Secure Boot is currently disabled. Check your System Information (msinfo32.exe) to see if your BIOS mode is UEFI and whether Secure Boot is listed.
“I never enabled Secure Boot, so I'm safe.” You're safe from boot failures, but you're also missing a key security layer. If you ever enable Secure Boot in the future on an unupdated system, you'll immediately hit the certificate issue.
“Microsoft will just push an emergency update last minute.” They've been pushing updates for over a year. The certificate expiration is not a surprise; it's been baked into the certificate's validity period since 2011. The updates that add the new certificate are already widely available. Waiting until the last minute risks being caught without critical firmware levels, especially if your OEM has stopped providing updates for your model.

What If You Run Into a Boot Failure After June 2026?

If the worst happens and your PC refuses to boot, here's a quick recovery plan:
1. Enter the UEFI firmware settings (usually by pressing F2, F10, Del, or Esc during power-on).
2. Locate the Secure Boot option (often under the "Security" or "Boot" tab) and temporarily disable it.
3. Save and exit; your PC should now boot Windows normally.
4. Once inside Windows, immediately install any missing updates and OEM firmware. Then re-enter UEFI settings, re-enable Secure Boot, and verify the new certificate is present before rebooting.
5. If BitLocker is enabled, you'll need your recovery key. Have it stored safely—print it, save it to a USB drive, or keep it in your Microsoft account.

The Bottom Line: Update Today, Avoid Tomorrow's Headache

Microsoft's Secure Boot certificate expiration is a planned, known event with a clear mitigation path. The fact that the industry has known about it for over a decade doesn't make it less urgent for the millions of users who rarely think about UEFI until their PC won't start. For most, the fix is as simple as installing current updates and hitting “Check for updates” a couple of times.

But for those with older hardware, neglected firmware, or dual-boot setups, the time to act is now. IT administrators should treat this with the same rigor as a Y2K-style remediation project: inventory, audit, update, and verify. When June 24, 2026 passes, a working PC should be a non-event—not a scramble for recovery keys.