Microsoft’s original Secure Boot certificates expire in June 2026. For millions of Windows PCs shipped over the past decade, this looming deadline could mean being locked out of the operating system entirely if firmware and software updates aren’t applied in time.

Secure Boot is a critical security feature that ensures only trusted code runs during the boot process. Embedded in the UEFI firmware of modern PCs, it relies on digital certificates to verify the signatures of bootloaders and operating system components. The primary certificate used to sign Windows boot managers—the Microsoft Windows Production PCA 2011—was issued in 2011 and carries a 15-year validity. Its expiration on June 18, 2026, isn’t a surprise, but the complexity of updating firmware across an entire ecosystem means many devices could be caught off guard.

What is Secure Boot and Why Do Certificates Expire?

Secure Boot is part of the Unified Extensible Firmware Interface (UEFI) specification. When enabled, the firmware checks each piece of code loaded during startup against a database of approved signatures (the “db”) and a revocation list (“dbx”). If the signature is valid and hasn’t been revoked, the boot proceeds; otherwise, the system halts to prevent malicious code from executing.

Certificates are at the heart of this trust model. Microsoft’s Production PCA 2011 certificate has been used to sign Windows boot loaders since Windows 8. Like all digital certificates, it has an expiration date. Once expired, the certificate is no longer considered valid for signature verification. Firmware implementations may vary, but many UEFI firmwares will refuse to boot any binary signed with an expired certificate, even if the binary itself hasn’t changed. This is a standard security practice: expired certificates are not trusted, just as an expired driver’s license isn’t accepted.

The June 2026 Deadline: Which Systems Are Affected?

The expiration directly affects any PC that:

  • Has Secure Boot enabled in its UEFI firmware.
  • Has the Microsoft Windows Production PCA 2011 certificate in its UEFI signature database.
  • Does not have a newer, unexpired certificate that can validate the Windows boot loader.

This encompasses nearly all Windows PCs shipped with Windows 8, 8.1, 10, and 11. The impact is not limited to a specific Windows version; it’s a firmware-level issue. Even if a PC is upgraded to Windows 11, the underlying UEFI firmware may still rely on the 2011 certificate unless it has been updated.

Enterprise environments face additional complexity. Custom Secure Boot policies, third-party UEFI drivers, and multi-boot configurations could all break if not tested and updated. Systems running older Linux distributions alongside Windows might also be affected if their bootloaders depend on the same expiring certificate chain.

Risks of Inaction: Boot Failures and Recovery Challenges

If the certificate expires and no action has been taken, the most likely outcome is a boot failure. The UEFI firmware will reject the Windows boot manager, displaying a “Secure Boot violation” error or simply refusing to boot. For the average user, this translates to a system that won’t start, potentially requiring a visit to a repair shop or a call to IT support.

For managed enterprise fleets, a widespread boot failure could be catastrophic—hundreds or thousands of machines simultaneously unable to start. And if BitLocker drive encryption is in use, the recovery process becomes even more involved: booting from a recovery drive may require the BitLocker recovery key, which users often don’t have readily available. In the worst case, data could be lost if recovery steps aren’t followed carefully.

It’s important to note that simply disabling Secure Boot isn’t a valid long-term workaround. Windows 11 requires Secure Boot to be enabled for installation and optimal security. Turning it off weakens the system’s resistance to bootkits and rootkits. Furthermore, many enterprise security baselines mandate Secure Boot, and disabling it could violate compliance requirements.

What Microsoft Is Doing to Mitigate the Issue

Microsoft has been preparing for this expiration for years. The company has already distributed a new certificate—the Microsoft Windows Production PCA 2024—via Windows Update and partner channels. This new certificate has a validity that extends well into the 2030s. The Windows boot manager has been dual-signed with both the 2011 and 2024 certificates, ensuring that a PC with either certificate in its firmware will boot successfully.

The critical piece is the firmware update. PC manufacturers must release UEFI firmware updates that include the new 2024 certificate in the trusted signature database. Many major OEMs have already started rolling out these updates labeled as “critical” or “security.” However, the patch landscape is uneven: older models might never receive an update, and third-party motherboard vendors for custom-built PCs may lag behind.

Microsoft has also released a servicing stack update for Windows 10 and Windows 11 that applies the new certificate to the operating system’s boot configuration. However, this update alone is insufficient; the firmware must still recognize the new certificate. In an advisory, Microsoft stresses that both a Windows update and a firmware update from the OEM are required.

Step-by-Step: How to Prepare Your PC or Enterprise

A proactive approach is essential. The following steps can help ensure a smooth transition.

For Home Users

  1. Keep Windows Updated: Enable automatic updates and ensure you have the latest cumulative update installed. Microsoft will push the necessary OS-side certificate through Windows Update well before June 2026.
  2. Check for Firmware Updates: Visit your PC manufacturer’s support website. Download and install any available UEFI/BIOS updates, especially those marked as critical or security-related. For laptops, OEM tools like Dell SupportAssist, Lenovo Vantage, or HP Support Assistant can automate this.
  3. Verify Secure Boot Status: Go to Start > Settings > Update & Security > Recovery (on Windows 10) or System > Recovery (on Windows 11) and check if Secure Boot is enabled. Alternatively, run msinfo32 and look for “Secure Boot State.” It should say “On.”
  4. Back Up Your BitLocker Recovery Key: If you use BitLocker, ensure you have your recovery key saved in a safe place—print it, store it in your Microsoft account, or save it to a USB drive. This is crucial in case you need to recover from a boot failure.

For IT Administrators

  1. Audit Your Fleet: Use tools like Microsoft Endpoint Manager, Configuration Manager, or third-party asset management to inventory all devices and their current UEFI firmware versions. Identify models that are out of support from the OEM.
  2. Test Firmware Deployments: Before a wide rollout, test firmware updates on a representative set of hardware. Pay special attention to devices with custom UEFI drivers or specialized boot configurations.
  3. Deploy Firmware Updates at Scale: Leverage management solutions to push firmware updates. Some OEMs provide tools that integrate with WSUS or Configuration Manager. For example, Dell Command Update can deploy UEFI updates silently.
  4. Update Boot Images and Recovery Media: If you use PXE boot or custom Windows PE images for deployment, ensure they are signed with the new certificate. Otherwise, such images may fail to boot post-expiration.
  5. Plan for the Worst: Have BitLocker recovery procedures documented and ensure help desk staff know how to guide users through recovery. Create a contingency plan for devices that cannot be updated (e.g., legacy systems that must run an older OS).
  6. Monitor Microsoft’s Guidance: Microsoft will likely issue a detailed technical advisory as the date approaches. Keep an eye on the Windows release health dashboard and security notifications.

The Bigger Picture: Future-Proofing Secure Boot

The 2026 expiration is a wake-up call for the industry. Secure Boot certificates shouldn’t be treated as permanently embedded; they have lifecycles that demand active management. Microsoft is moving toward a model where certificates are updated more frequently, possibly reducing the blast radius of future expirations. This episode also underscores the importance of UEFI firmware as a critical piece of the security stack—one that doesn’t always get the same level of attention as OS patches.

For end users and organizations, this is a perfect time to review their hardware lifecycle management. Systems so old that they can’t receive firmware updates are likely out of support for other reasons and pose a broader security risk. If a PC can’t be updated to trust the new certificate, it’s a strong signal that it’s time to replace that hardware.

Act Now to Avoid a Lockout

Two years may seem like a comfortable buffer, but firmware updates don’t move as fast as software patches. Manufacturers need time to develop, test, and distribute updates. IT departments need time to validate and deploy. And consumers need to be aware that a simple Windows Update isn’t enough. The June 2026 Secure Boot certificate expiration is a predictable, solvable problem—but only for those who prepare. Start checking for firmware updates today, and you’ll sail past the deadline without a hiccup.