Windows Secure Boot certificates start expiring June 24

The 2011-era Secure Boot certificates backing boot security on most Windows PCs start expiring June 24, one month from today. Devices without the 2023 replacement certificates will not stop working, but they will lose the ability to receive future boot-level security patches. Windows 11 users on supported builds are being updated automatically, though older hardware and unsupported Windows 10 machines face a harder path.

What expires and when

Three certificates are hitting their end dates: the Microsoft Corporation KEK CA 2011 on June 24, the Microsoft UEFI CA 2011 on June 27, and the Microsoft Windows Production PCA 2011 on October 19. The last one signs the Windows bootloader itself, making October the most critical deadline for long-term boot integrity. Microsoft began rolling out 2023 replacement certificates through Windows Update in January and has advanced the rollout with each monthly update, including this month's KB5089549.

What happens after June 24

Your PC will not stop booting. Microsoft says devices with expired certificates will continue to start normally and receive standard Windows updates. What they lose is the ability to receive new Secure Boot database updates, certificate revocation lists, and patches for newly discovered boot-layer vulnerabilities. Boot-level exploits like BlackLotus have specifically targeted this layer. A device with expired certificates has no patch path against future threats at the firmware level.

How to check your device

Open Windows Security, select Device Security, and check the Secure Boot section. Microsoft's support article KB5062710 covers what the expiration means and what steps to take if the update has not been applied. Users on Windows 10 outside the Extended Security Updates program will not receive the new certificates and have no remediation path from June 24 onward.

Devices that may not get the fix

Some older hardware requires a matching OEM firmware update alongside the Windows certificate rollout, because the new certificate chain must be anchored directly in UEFI firmware. Devices from manufacturers that have stopped issuing firmware updates may stay on the 2011 certificates regardless of what Windows installs. Microsoft's guidance is to apply the latest update, verify status using KB5062710, and contact OEM support if the 2023 certificates are not showing on a fully updated system.