Windows Secure Boot Certificates Set to Expire in June – Here's What It Means for Your PC

Secure Boot has become a cornerstone of Windows device integrity, establishing a cryptographic chain of trust from firmware to the operating system. By verifying digital signatures of every boot component, it blocks unauthorized code from executing before the OS loads. The 2011 certificates that underpin this trust are reaching the end of their validity, prompting Microsoft to replace them with the UEFI CA 2023 set. This transition mirrors broader industry moves toward rotating keys to mitigate long‑term exposure and to align with evolving threat landscapes.

Microsoft’s rollout strategy leverages Windows Update to push the new certificates automatically to eligible machines, simplifying deployment for most users. Devices manufactured after 2024 already ship with the updated keys, while older hardware receives them through firmware updates supplied by OEMs. Users can verify their status via the Windows Security app, and the process is largely transparent. However, systems still running legacy BIOS firmware lack the necessary UEFI interface, rendering them ineligible for Secure Boot altogether and leaving them dependent on other protection layers.

The practical impact is twofold: first, PCs that miss the update will continue to receive regular security patches but will be unable to benefit from the latest boot‑level defenses, increasing susceptibility to bootkits and firmware rootkits. Second, OEMs must ensure firmware compatibility and timely distribution of updates to avoid a fragmented security posture. Enterprises should audit their device inventories, prioritize updates for critical assets, and consider migration paths for legacy machines. Proactive compliance with the new certificates will preserve the trusted boot environment that underpins Windows security.