Microsoft's Original Windows Secure Boot Certificate Is Expiring

Secure Boot, introduced by Microsoft nearly 15 years ago as part of the UEFI firmware standard, has become the foundational trust anchor for modern Windows devices. By verifying cryptographic signatures of boot loaders, drivers and firmware before the operating system starts, it blocks UEFI bootkits such as BlackLotus and MoonBounce. The original certificate chain, issued in 2011, has underpinned this protection for a generation of PCs. Over time, Microsoft has refreshed the signing keys, most recently in 2023, to strengthen the root of trust and extend certificate longevity.

The upcoming expiration of the 2011 Secure Boot certificates on June 24, 2024 creates a narrow window for organizations to update their firmware signing keys. Without the refreshed 2023 certificates, Windows endpoints will still boot, but they will be unable to receive future updates to the UEFI DB and DBX databases, effectively disabling a critical line of defense against boot‑level malware. Enterprise environments, which typically stage Windows updates to avoid disruption, must now incorporate the certificate rollout into their patch calendars. Small‑business and consumer PCs that rely on automatic updates are less exposed, yet many remain on legacy hardware that lacks the new keys.

Microsoft is easing the transition by adding a Secure Boot status indicator to the Windows Security app and planning automated notifications for administrators. IT teams should start by inventorying devices, confirming OEM firmware support, and deploying the 2023 certificates via existing management tools such as SCCM or Intune. For Windows 10 machines enrolled in the Extended Security Update program, the refresh is still available, but devices outside the program will lose Secure Boot functionality over time. Proactive compliance not only preserves the hardware‑based trust model but also aligns with regulatory expectations for baseline cybersecurity controls.