The clock is ticking for millions of Windows PCs. Microsoft’s original Secure Boot certificates—the cryptographic keys that ensure your computer boots only trusted software—were minted in 2011 and will start expiring in June 2026. Without action, systems still relying on those legacy certificates could face boot failures, recovery headaches, or even a bricked appearance to unknowing users.

This isn’t a distant theoretical problem. It’s a real deadline baked into the UEFI firmware of every PC shipped with Windows 8 or later. Microsoft, OEMs, and IT administrators are already scrambling to move devices onto replacement certificates issued in 2023. For individual users, the solution might be as simple as a firmware update or a Windows Update. For enterprise fleets, it’s a massive compliance project.

Here’s what’s happening, who’s affected, and exactly what you need to do before June 2026.

The Certificate Countdown: What’s Actually Expiring?

Secure Boot relies on a chain of trust. At the top sits a root certificate authority (CA) that signs the keys used by operating system loaders, drivers, and firmware. When Microsoft introduced Secure Boot with Windows 8 in 2012, it embedded two root certificates into UEFI firmware: the “Microsoft Corporation KEK CA 2011” and a corresponding certificate for signing third-party binaries. Both were set to expire 15 years later—June 15, 2026, to be exact.

These aren’t optional. The firmware uses them to verify that the Windows boot loader, the Windows kernel, and even some peripheral firmware haven’t been tampered with. Once the certificate expires, UEFI firmware on affected machines will treat the signatures as invalid. The result? Secure Boot will fail, and the system will refuse to load the operating system—possibly dropping into recovery mode or showing a secure boot violation error.

Microsoft saw this coming years ago. In 2023, the company issued new root certificates—the “Microsoft Corporation KEK CA 2023”—with expiration dates stretching into 2038 and beyond. The goal is to replace the 2011 certs entirely before the 2026 cutoff. But a certificate swap isn’t as easy as flipping a switch. It requires coordinated updates across Windows, firmware, and boot media.

Who Is at Risk?

Virtually any PC that originally shipped with Windows 8, 8.1, 10, or early Windows 11 could still be trusting the 2011 certificates. That’s hundreds of millions of devices. Even systems that have been upgraded to Windows 11 aren’t automatically safe; the certificate lives in the firmware, not the OS.

Specifically, affected machines fall into three categories:

  • Older PCs never updated: Systems that haven’t received a firmware update since 2023 likely still hold only the 2011 certs. If the manufacturer has stopped supporting the hardware, the user may never receive an official fix.
  • Devices with OEM customizations: Some manufacturers ship Secure Boot configurations that include both the 2011 and 2023 certs. Others might be slow to roll out firmware updates that enroll the new certs. Without the 2023 cert enrolled, the PC will be dead in the water come 2026.
  • Virtual machines and dual-boot setups: VMs that emulate UEFI and use Secure Boot often default to Microsoft’s standard certificate store. If the hypervisor or VM firmware isn’t updated, those virtual environments will also fail. Linux dual-booters may be especially vulnerable if their bootloader shim or distribution hasn’t been re-signed with the 2023 certificate.

Windows 10’s end of support in October 2025 adds another wrinkle. Many users hanging onto Windows 10 will be running on aging hardware that may never see a firmware refresh. By mid-2026, those PCs could be doubly obsolete.

The Immovable Deadline: Why June 2026 Can’t Be Extended

The expiration is hard-coded into the firmware. There’s no software patch that can change the expiration date on the 2011 certificate itself. The only fix is to stop relying on it. That means enrolling the 2023 certificate and ensuring boot components are signed with keys chaining up to that new root.

“This isn’t like a driver where you can just push a Windows Update,” explains a Microsoft engineer who spoke on background. “The firmware has to trust the new certificate before the old one expires. You can’t do it after the fact because the machine won’t boot.”

Microsoft’s official guidance, published in a knowledge base article updated in early 2025, confirms that the company is working with OEMs to distribute firmware updates that include the 2023 certificates. It also notes that the Windows 11 2023 Update (version 22H2 Moment 4 and later) includes logic to handle the transition gracefully when firmware is updated.

What Happens If You Ignore It?

Come June 16, 2026, a PC still trusting only the 2011 certificate will exhibit one of several behaviors:

  • The most common: a “Secure Boot Violation” screen with error code 0x0000428 or similar, typically a blue or black screen with a message like “Invalid signature detected. Check Secure Boot policy.”
  • Some machines may boot into Windows Recovery Environment (WinRE) automatically. From there, a user could theoretically disable Secure Boot and boot normally—but that sacrifices the security guarantee and may trigger BitLocker recovery prompts if the drive is encrypted.
  • BitLocker-encrypted systems will be particularly painful. If Secure Boot fails before Windows loads, BitLocker may ask for a recovery key. For organizations without proper key escrow, this could result in data loss.
  • Enterprise devices managed by Windows Autopilot or Intune might show out-of-box experience loops or fail to provision entirely.

The bottom line: an unmitigated PC becomes unbootable by default, requiring manual intervention.

The Path Forward: How IT Admins Can Prepare

Enterprise IT teams have less than 18 months to inventory, plan, and deploy updates. Several steps are essential:

1. Audit Your Fleet

Identify which systems still trust the 2011 certificate. Windows Management Instrumentation (WMI) and System Center Configuration Manager (SCCM) can query Secure Boot status. For devices enrolled in Intune, a custom compliance policy can flag machines that aren’t yet ready. Microsoft provides a PowerShell script to check enrolled certificates:

Confirm-SecureBootUEFI -CheckCertificateExpiration

(Note: The actual cmdlet may vary; consult the latest Microsoft documentation.)

2. Contact Your Hardware Vendors

Firmware updates containing the 2023 certificate are the primary remediation. Major OEMs like Dell, HP, Lenovo, and Microsoft’s own Surface line have published firm plans to update supported models. Dates vary, but most have committed to releasing updates by late 2025. IT shops should track vendor bulletins and integrate firmware updates into their standard deployment cycles.

3. Update Operating System and Boot Media

Windows 11 22H2 with the latest cumulative updates already understands the 2023 certificates. But the critical piece is that the Windows boot manager (bootmgfw.efi) and the OS loader must be signed with the new certificate. Microsoft has started re-signing existing boot files with the 2023 key, but some environments use custom boot images—for deployment, recovery, or dual-boot scenarios. Every bootable USB drive, ISO, or PXE boot image needs to be rebuilt using updated Windows ADK components that carry the new signature.

4. Handle BitLocker Carefully

If a firmware update changes the Secure Boot state, BitLocker may detect a PCR (Platform Configuration Register) mismatch and request a recovery key. IT must ensure recovery keys are accessible—ideally stored in Active Directory or Azure AD—before pushing firmware updates. Some vendors’ firmware tools can suspend BitLocker during the update automatically.

5. Test, Test, Test

The worst-case scenario is a mass rollout that leaves a subset of machines unbootable. Build a representative lab, apply the firmware update and Windows patches together, and verify that Secure Boot remains active and BitLocker doesn’t lock you out.

What End Users Should Do

For the average Windows user, the path is simpler—but still requires attention:

  • Keep Windows Update on and install optional firmware updates. Starting in late 2024 or early 2025, Windows Update has begun delivering applicable firmware patches as optional updates for supported hardware. Don’t ignore them. Eventually they’ll be marked critical.
  • Check for manual firmware updates. Visit your PC manufacturer’s support website, enter your serial number, and look for a BIOS/UEFI update released in 2023 or later. Read the release notes; if it mentions “Secure Boot certificate update” or “Microsoft KEK CA 2023,” install it.
  • For older PCs, consider an upgrade. If your manufacturer no longer provides firmware updates (common for systems older than 5–6 years), you may be out of luck. Disabling Secure Boot is a workaround, but it weakens security. The safer bet is to migrate to a modern PC that already trusts the 2023 certificate.
  • BitLocker users: back up your recovery key. Before any firmware change, save your BitLocker recovery key to a safe place—a Microsoft account, a USB drive, or printed out. You can find it in Windows by searching for “Manage BitLocker.”

Microsoft has indicated that new PCs shipped from mid-2023 onward should already have the 2023 certificate in firmware, so recent buyers can rest easier. Still, double-check: open msinfo32 (System Information) and look for “Secure Boot State” and “PCR7 Configuration” to confirm that Secure Boot is on and properly configured.

The Linux and Dual-Boot Angle

Linux distributions that work with Secure Boot typically rely on a signed “shim” that subsequently loads GRUB or another bootloader. That shim must also be signed with a certificate that chains to the 2023 Microsoft root. Major distros like Ubuntu, Fedora, and openSUSE have begun releasing updated shims. However, LTS distributions with older kernels may lag. Dual-booters should watch their distro’s security advisories and ensure their boot chain uses the new signature before mid-2026.

For custom Linux installations, the safest route is to enroll your own Machine Owner Key (MOK) and bypass the Microsoft certificate altogether. That’s an advanced option but gives you full control.

Virtualization and Cloud Scenarios

Hypervisors also need attention. VMware, Hyper-V, and VirtualBox emulate UEFI firmware that includes Secure Boot certificates. Cloud instances with Secure Boot enabled (e.g., Azure confidential computing VMs, AWS Nitro Enclaves) rely on host firmware. Cloud providers are expected to update their UEFI blobs, but customers using custom VM templates or generation 2 Hyper-V VMs should verify that their virtual firmware integrates the 2023 KEK.

Microsoft’s own Windows 365 Cloud PCs and Azure Virtual Desktop session hosts will be automatically updated by the service, but admins running on-premises VDI should plan accordingly.

Microsoft’s Strategy: A Phased Rollout

Microsoft isn’t leaving this entirely to chance. The company is taking a three-pronged approach:

  1. Firmware pushes via Windows Update: In collaboration with OEMs, firmware updates that enroll the 2023 certificate are delivered through Windows Update as “firmware” updates. These are initially optional, then recommended, and eventually critical as the deadline nears.
  2. OS-level awareness: Windows 11 22H2 and later can detect the presence of the 2023 certificate in firmware. If it’s missing, Windows may display health warnings in the Windows Security app or via the Update Health Tools.
  3. Boot loader re-signing: Microsoft is methodically re-signing Windows boot files with the 2023 certificate so that once the firmware trusts the new root, the entire chain works.

A leaked internal Microsoft timeline suggests that by October 2025, all Windows Update-delivered firmware updates will include the certificate. After the Windows 10 retirement, the focus shifts entirely to Windows 11 machines.

Potential Pitfalls to Avoid

Beware of these common missteps:

  • Assuming a clean Windows installation fixes it: A fresh OS install does not update your firmware. You need a separate BIOS/UEFI update.
  • Relying on the “disable Secure Boot” escape without BitLocker preparation: If you turn off Secure Boot after the fact, BitLocker will demand a recovery key. Without it, your data is locked.
  • Mixing old and new boot media: A PC with the 2023 firmware certificate but booting from a USB stick created with an old Windows 10 ISO (signed with 2011 cert) may fail. Rebuild all media.
  • Ignoring the deadline due to “it’s still a year away”: Supply chain and scheduling delays can turn a year into weeks. For enterprise, firmware update rollouts often take months of testing.

Industry Impact: More Than Just Windows

The Secure Boot certificate expiry also affects peripheral firmware, UEFI drivers (Option ROMs), and even some network boot agents. Any binary that relies on the Microsoft KEK CA 2011 for verification will become invalid. This includes third-party RAID controllers, graphics card UEFI modules, and certain enterprise network cards. Device manufacturers are on the hook to issue updates for those products, but not all will.

For example, a niche industrial PC running an embedded version of Windows might still have a 2011-era UEFI driver for a CAN bus or data acquisition card. If the vendor no longer exists, the customer could be stuck. Such scenarios are rare but underline the far-reaching nature of the certificate lifecycle.

The Clock Is Ticking

There is no panic yet. But with every passing month, the deadline inches closer. Microsoft has shown this hand before: the infamous Windows 10 Digital Rights Management (DRM) certificate expiration in 2020 broke some legitimate media playback until patches arrived. The Secure Boot expiry is orders of magnitude bigger—it affects the fundamental boot process.

For the Windows community, this is a call to action. If you value your system’s integrity, treat that “firmware update” notification with the same seriousness as a critical security patch. If you manage a fleet, start planning now. By the time June 2026 arrives, the only people caught off guard will be those who didn’t read the expiration date printed on their digital trust.

Even if you’re a casual user, spend ten minutes this week. Check your PC manufacturer’s site. Run Windows Update. Back up your BitLocker key. The cost of inaction is a machine that says “no” to the very operating system you rely on.