A 2011-era Microsoft Secure Boot trust chain used by most Windows PCs starts expiring on June 24, 2026, and systems that miss the 2023 replacement certificates will lose access to future boot-level security fixes. The hardest cases are older PCs that need OEM firmware support and unsupported Windows 10 machines outside Extended Security Updates, according to Notebookcheck.
The devices will not suddenly stop booting. That is the critical distinction. But a PC stuck on expired Secure Boot certificates will no longer be able to receive new Secure Boot database updates, certificate revocation lists, or patches for newly found vulnerabilities in the boot chain.
Windows PCs hit the first Secure Boot certificate deadline on June 24
Microsoft Corporation KEK CA 2011 expires first, on June 24. Two more 2011 certificates follow: Microsoft UEFI CA 2011 on June 27, and Microsoft Windows Production PCA 2011 on October 19.
That October certificate signs the Windows bootloader itself, making it the more consequential date for long-term boot integrity. The practical question for users is simple: has the machine actually received the 2023 certificate chain?
| Certificate | Expiration date | Why it matters |
|---|---|---|
| Microsoft Corporation KEK CA 2011 | June 24, 2026 | Supports updates to Secure Boot trust databases |
| Microsoft UEFI CA 2011 | June 27, 2026 | Trusts UEFI components and boot-related code |
| Microsoft Windows Production PCA 2011 | October 19, 2026 | Signs the Windows bootloader itself |
Secure Boot checks trusted firmware and bootloaders before Windows starts. That matters because malware at this layer can run before the operating system and many security tools are fully active.
Microsoft began rolling out 2023 replacement certificates through Windows Update in January and has advanced the rollout with monthly updates, including this month’s KB5089549, according to the source material.
Windows 11 users mostly get the fix through Windows Update
Supported Windows 11 builds are being updated automatically. For many consumer devices, the required work is routine: install current Windows updates and let Microsoft’s certificate rollout complete.
Microsoft’s own support guidance says the expiry does not turn a PC into a brick. The operating system continues to start, and standard Windows updates continue to install.
“If your device reaches the expiration date without the new certificates, it will still start and operate normally. Standard Windows updates will continue to install,” Microsoft Support says.
The loss is narrower, but more dangerous: no new security protections for the early boot process. Microsoft says that includes updates to Windows Boot Manager, Secure Boot databases and revocation lists, and fixes for newly discovered vulnerabilities in the boot chain.
For readers tracking Windows security risk more broadly, MLXIO has also covered YellowKey Bypasses BitLocker, Microsoft Has No Patch. This Secure Boot certificate deadline is a separate issue, but both sit near the same high-value boundary: what can be trusted before Windows is fully running.
Older hardware turns OEM firmware into the choke point
Some systems cannot complete the transition with Windows Update alone. The source material says older hardware may require a matching OEM firmware update, because the new certificate chain must be anchored directly in UEFI firmware.
That makes PC makers part of the deadline. If a manufacturer has stopped issuing firmware updates for a device, that machine may remain on the 2011 certificates even after Windows installs what it can.
The owner’s question becomes harder: is the missing piece Windows, firmware, or both?
Microsoft’s guidance is to apply the latest update, verify certificate status using its support documentation, and contact OEM support if the 2023 certificates do not appear on a fully updated system. Notebookcheck points users to KB5062710 for Microsoft’s explanation of the expiration and next steps.
Microsoft also warns against the wrong workaround:
“Secure Boot should not be disabled to work around certificate expiration. Disabling Secure Boot significantly reduces device protection, removes safeguards against boot‑level malware, and can create new security and compliance risks.”
That warning matters because boot-level exploits have targeted this layer before. The source specifically cites BlackLotus as an example of malware aimed at the boot path.
Windows 10 machines outside ESU face the cleanest cutoff
The starkest software boundary is Windows 10. Users outside the Extended Security Updates program will not receive the new certificates and have no remediation path from June 24 onward, according to the supplied source material.
That does not mean the PC stops working. It means the system can age into a state where future firmware-level protections cannot be applied through Microsoft’s Secure Boot update path.
A useful checklist is short:
- Install: Apply current Windows updates, including the latest cumulative update available for the device.
- Verify: Open Windows Security, select Device Security, and check the Secure Boot section.
- Check firmware: Review the PC maker’s support page for BIOS or UEFI updates.
- Escalate: Contact OEM support if the system is fully updated but still lacks the 2023 certificates.
- Do not disable Secure Boot: Microsoft explicitly advises against using that as a workaround.
This is also not the kind of Windows update story users can judge from visible UI changes. For contrast, our coverage of Windows 11 Taskbar Finally Escapes Its 5-Year Lockdown dealt with something users can see immediately. Secure Boot certificate status is buried deeper, and failure is measured in missing future protections rather than a broken desktop.
October is the date that raises the stakes
June 24 starts the expiration sequence. October 19 is the date to circle because Microsoft Windows Production PCA 2011 signs the Windows bootloader itself.
Between now and then, the watch item is whether Microsoft and OEMs identify more devices that need firmware updates before they can complete the certificate transition. The risk is not mass boot failure. It is a quieter split between PCs that can keep receiving boot-layer defenses and PCs stranded on an expiring trust chain.
Impact Analysis
- Affected PCs will still boot, but may stop receiving future Secure Boot database updates and boot-chain security fixes.
- Older systems may depend on OEM firmware updates to adopt the 2023 replacement certificate chain.
- Unsupported Windows 10 machines outside Extended Security Updates face higher long-term exposure to boot-level vulnerabilities.
