PCWorld reports that Windows 11 PCs face a critical security deadline when Secure Boot certificates expire in June 2026, potentially compromising system protection.
PCs with outdated certificates may lose boot-critical updates, malware blacklists, and could experience boot failures or become unable to install future Windows feature updates.
Microsoft is rolling out new certificates to replace the current ones from 2011, and users should ensure their systems receive these updates to maintain security.
Microsoft has clarified what will happen to Windows 11 PCs if Secure Boot certificates are not updated before they expire in June 2026.
Secure Boot is a security standard developed by the PC industry. It ensures a device boots only with software trusted by the original equipment manufacturer (OEM)..
Every time a PC starts, the firmware checks the cryptographic signature of each boot component, including those tied to certificates issued in 2011. Only after those checks pass is the Windows Boot Manager allowed to load.
When the existing Secure Boot certificates expire, millions of Windows PCs could be affected. In some cases, systems may become less secure. In more extreme scenarios, they could fail to boot properly.
To prevent this, Microsoft has begun rolling out new certificates.
New Secure Boot certificates
The delivery of the new 2023 Secure Boot certificates is not a simple update, as they directly interact with the UEFI hardware on your computer’s motherboard.
“Microsoft must transfer the new 2023 certificates into the firmware, replace the boot manager with a version signed using the new keys, and finally revoke trust in the old certificates,” Windows Latest explains.
Microsoft has already set up a new Secure Boot folder on Windows PCs for this purpose.
What happens if you don’t update
To explain the consequences, Microsoft organized a Q&A session with Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Group Engineering Manager Richard Powell. Windows Latest took part in the session and summarized the findings. According to their report, the consequences for Windows PCs with outdated or expired Secure Boot certificates can be summarized as follows:
“If you ignore the Secure Boot certificate deadline in June 2026, your Windows 11 PCs would likely still start and run normally, but system security may be permanently compromised as Microsoft will no longer provide boot-critical updates and malware blacklists (DBX blocklists). You can check the Secure Boot status in the Windows Security app.”
If you haven’t installed the new Secure Boot certificate, your PC won’t be able to run the latest Windows Boot Manager. Consequently, Microsoft would no longer provide security updates for boot-critical binaries. In addition, your system may no longer receive new DBX blacklists, potentially leaving you exposed to future bootkit malware. You may also find that future Windows feature updates are no longer installable.
Things to keep in mind
Very old computers that still rely on BIOS rather than UEFI are generally not affected by this issue and will not receive the update. Microsoft also notes that it is normal for Windows PCs to restart several times during the installation of new Secure Boot certificates. Existing BitLocker encryption does not need to be disabled.
The new 2023 Secure Boot certificates are valid through 2038.
How to check the status of your Windows PC
In Windows Settings, go to Privacy & Security > Windows Security > Device Security to check your Secure Boot status. If you see a green circle with a white checkmark under “Secure Boot,” everything is fine. Your PC is ready for the June 2026 deadline.
If you see a yellow or red warning instead, you should read the further information provided.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
