Microsoft Rolls Out 2023 Secure Boot Certificates as 2011 Keys Start Expiring June 27
Updated
Updated · Computerworld · May 26
Microsoft Rolls Out 2023 Secure Boot Certificates as 2011 Keys Start Expiring June 27
9 articles · Updated · Computerworld · May 26
June 27 marks the first expiry for two 2011 Windows Secure Boot certificates, prompting Microsoft to push 2023 replacements through Windows Update for eligible PCs and servers.
Without the new certificates, devices keep running and still get normal Windows updates, but lose boot-level security updates, revocation-list refreshes and newer Boot Manager protections.
Windows 11 24H2, 25H2 and 26H1, supported enterprise editions, ESU-covered Windows 10 22H2 and Windows Server 2019, 2022 and 2025 are covered; out-of-support versions are not.
Older systems may need OEM firmware or BIOS updates from vendors such as HP, Dell and Lenovo because the certificates must be written into UEFI firmware databases.
Microsoft says most 2025-and-later devices already include the 2023 certificates, while some April 2026 and later updates may trigger one extra reboot during installation.
Microsoft's security deadline is next month, but its fix can lock you out. How can businesses update safely?
Millions of PCs will be left vulnerable by Microsoft's June deadline. Is your hardware being forced into obsolescence?
This urgent PC update expires in 2038. Why is it just a temporary fix in the race against future quantum hackers?
Windows Secure Boot Certificate Expiration in June 2026: What It Means, Who’s Affected, and How to Prepare
Overview
Windows Secure Boot certificates from 2011 will expire on June 24, 2026, marking a critical security deadline. After this date, Microsoft will lose the authority to sign new updates with the old Key Exchange Key, and any system not updated to trust the new 2023 certificates will be permanently cut off from essential boot-level security patches. To address this, Microsoft and its hardware partners have spent years working together to replace the outdated certificates, ensuring that most newer PCs already have the updated version. This transition is vital to keep devices secure and able to receive future updates.