In late June 2026, Secure Boot certificates that had been baked into Windows PCs since 2011 reached their expiry dates. Nothing dramatic happened, no PCs bricked, and most people noticed nothing at all. That is precisely https://saborcitosrestaurant.com/ why it is worth understanding, because the consequence is quiet rather than loud.
What Actually Expired
Secure Boot works by checking that boot software is signed by an authority your firmware trusts. That trust comes from cryptographic certificates stored in your motherboard’s firmware, and certificates have expiry dates by design.
Three matter here. Microsoft Corporation KEK CA 2011 expired on 24 June 2026, Microsoft Corporation UEFI CA 2011 on 27 June, and Windows Production PCA 2011 follows in October 2026. Microsoft is replacing them with a 2023 generation, valid until 2038.
The Crucial Point: Your PC Still Boots
This is where rumour outran reality. Expired certificates do not stop your PC starting. It boots, Windows loads, everything works, and ordinary Windows updates keep installing.
The real consequence is subtler. A device that missed the transition can no longer receive new boot-level protections: updates to Windows Boot Manager, Secure Boot database changes, revocation lists, or mitigations for newly discovered boot-level vulnerabilities like the BlackLotus bootkit.
So nothing breaks. Your defences simply stop improving in the one part of the system that runs before Windows can defend itself, and the gap widens quietly over time.
You’re Probably Fine
Reassuringly, most people needed to do nothing. Microsoft began rolling the 2023 certificates out through Windows Update in phases from 2024, and many PCs built since then shipped with them already.
If you keep Windows Update on and Secure Boot enabled, the swap likely happened silently. Microsoft notes the full process takes roughly 48 hours and one or more restarts, since the Boot Manager step waits for a natural reboot. If you saw an unfamiliar Secure Boot-related folder appear, that is part of the rollout, not a bug.
How to Check, and One Trap
Since the April 2026 update, the Windows Security app shows Secure Boot certificate status under Device security. You can also press Windows+R, type msinfo32, and look at Secure Boot State.
Here is the trap worth knowing: toggling Secure Boot off and on can wipe the updated certificates, resetting firmware to defaults. If Secure Boot is on, leave it on. Resetting your BIOS to defaults can undo the transition too.
Devices most at risk are older PCs whose firmware may not properly support or retain the new certificates, where an OEM firmware update may be needed first.
The Takeaway
The 2011 certificates expired in June 2026, your PC still boots fine, and most machines transitioned automatically through Windows Update. The risk is a quietly degrading boot-level defence rather than a failure. Check Device security in Windows Security, and if Secure Boot is enabled, resist the urge to toggle it.