Windows Secure Boot Certificates Expire This Month. Is Your Business Ready?

Microsoft's Secure Boot certificates expire on June 24, 2026. Most businesses have no idea this is coming.

Three certificates that have governed Windows boot security since 2011 are reaching the end of their 15-year lifespan this month. The first deadline lands in 23 days. If the devices on your network have not received updated certificates, they will keep booting just fine. But from that point forward, they cannot receive any new boot-level security protections. That gap does not fix itself later.

This is not a story about Windows crashing. It is a story about what happens quietly, in the background, when businesses fall behind on infrastructure maintenance they did not know existed.

What Secure Boot Does and Why Certificates Matter

Secure Boot is a firmware-level security feature built into modern Windows devices. When a computer starts, Secure Boot checks every piece of software that tries to run before Windows loads. It compares that software against two lists embedded in the device's firmware: a trusted software database and a blocklist of known-bad signatures.

That verification process depends on certificates. The certificates tell the firmware which code to trust at boot time.

Microsoft issued the original Secure Boot certificates in 2011. They were designed for a 15-year lifespan. That lifespan ends this month.

Three certificates are expiring on the following dates:

• Microsoft Corporation KEK CA 2011 expires June 24, 2026
• Microsoft UEFI CA 2011 expires June 27, 2026
• Microsoft Windows Production PCA 2011 expires October 19, 2026

Microsoft began rolling out replacement certificates starting in 2023. The new certificates are valid through 2038. On most Windows 11 PCs manufactured after 2024, the update has already happened automatically through Windows Update. The problem is everything else on your network.

What Happens If Nothing Is Done

The device keeps booting normally. Nothing shuts down. Applications run. That is exactly what makes this easy to miss.

What stops working is the security update channel for the boot process. Once the old certificates expire, devices that have not received the new ones can no longer receive:

• Updates to Windows Boot Manager
• New DBX blocklist entries (the blacklist of known-bad boot software)
• Mitigations for newly discovered boot-level vulnerabilities

The result is a device stuck at a permanent security waterline. Any boot-level threat discovered after June 24 cannot be blocked on an unupdated device through normal channels.

That threat category has a real name. BlackLotus was the first UEFI bootkit to bypass Secure Boot on a fully patched Windows 11 system. It runs before the operating system loads. Once active, it can disable BitLocker, Windows Defender, and Hypervisor-Protected Code Integrity before Windows even starts. Standard antivirus software does not see it because by the time antivirus loads, the threat is already running underneath everything else.

Without updated certificates, there is no mechanism to block the next variant of that kind of threat. The channel for receiving those blocklist updates closes.

Why Windows Server Is the Risk Most Businesses Will Miss

Windows PCs on Windows 11 version 24H2 or 25H2 receive the certificate update automatically through Windows Update. Most modern laptops and desktops handle this without anyone doing anything.

Windows Server does not.

The automatic rollout does not apply to Windows Server. IT administrators have to update those certificates manually. That means knowing the update exists, knowing which servers are affected, and executing a tested rollout with phased deployment and validation.

Microsoft recommends testing a minimum of four devices per unique manufacturer, model, and firmware combination before broad deployment. The full process takes roughly 48 hours and requires at least one restart per device. Each step in the sequence must complete before the next one runs.

For a business running file servers, domain controllers, or any Windows Server infrastructure, this is not a click-and-wait operation.

The Windows 10 Problem

Windows 10 reached end of support in October 2025. Devices still running it do not receive standard Windows updates.

That means they will not receive the new Secure Boot certificates through normal channels. Without Extended Security Updates, those devices are permanently excluded from the certificate rollout.

Most businesses in the 30-to-150-person range have at least a handful of machines that were not refreshed before the Windows 11 cutoff. TPM 2.0 compatibility requirements locked out a lot of otherwise functional hardware from Windows 11. If those devices are still on the network, they will miss this deadline regardless of what else you do.

That is not just a patch management issue. It is a hardware refresh conversation that should already be happening.

What IT Teams Need to Do Before June 24

The practical checklist for a managed Windows environment is not short:

Inventory every device. Identify which machines are on Windows 11 24H2 or later, which are on older Windows 11 versions, which are still on Windows 10, and which are running Windows Server in any version.

Check Secure Boot status. On Windows 11, go to Privacy and Security, then Windows Security, then Device Security. A green checkmark under Secure Boot means the device has updated certificates. A yellow or red warning means it has not.

Update firmware before applying certificates. Devices need current BIOS and firmware before the certificate update can apply correctly. Dell, HP, Lenovo, and Fujitsu have each published separate guidance on compatible firmware versions. Applying certificates to devices with outdated firmware can cause failures.

Update Windows Server manually. This does not happen on its own. Prioritize domain controllers and any server with network exposure first.

Run a phased rollout. Test on a pilot group per hardware model before broad deployment. Validate with Windows Event ID 1808 (success) and watch for Event ID 1801 (incomplete). Structure rollout rings rather than updating everything at once.

Document hardware that cannot be updated. Some older Windows 10 devices will not receive the new certificates regardless of effort. Log those as formal exceptions and move the hardware refresh conversation forward.

One other thing worth knowing: once Secure Boot revocations are applied, they are non-reversible while Secure Boot is enabled. This is not something to test in production first.

The Part That Usually Gets Missed

This is the kind of deadline that lives in the space between "someone should know about this" and "someone actually did something about it."

Business owners do not track certificate expiration timelines. That is not a criticism. It is a description of how most organizations operate. Certificate management, phased firmware rollouts, manual server updates, and hardware exception documentation are not things that show up in most IT conversations unless someone is specifically watching for them.

The pattern I see: businesses running without a managed IT partner discover this kind of deadline after the fact, when a vendor flags that a server has stopped receiving security updates. By then, the window to act cleanly is gone.

June 24 is not flexible. Either the certificates are updated before then or they are not.

---

Frequently Asked Questions

What is Windows Secure Boot and why does it matter for businesses? Secure Boot is a firmware security feature that checks software integrity before the operating system loads. It protects against bootkit malware that can run beneath antivirus detection. Businesses relying on BitLocker for disk encryption depend on Secure Boot being current and active.

Will my Windows devices stop working if I miss the June 24 deadline? No. Devices continue to boot and operate normally. What stops working is the update pipeline for boot-level security. Devices that miss the deadline can no longer receive protections against boot threats discovered after that date.

Do Windows devices update Secure Boot certificates automatically? Windows 11 version 24H2 and 25H2 receive the certificate update automatically through Windows Update on most hardware. Windows Server does not. Server infrastructure requires manual updates by an IT administrator.

What about Windows 10 devices? Windows 10 reached end of support in October 2025. Devices running Windows 10 without Extended Security Updates will not receive the new certificates. Those devices are permanently excluded from the rollout and will remain in a degraded security state with no standard remediation path.

How long does the Secure Boot certificate update take? Microsoft estimates roughly 48 hours and at least one restart per device. A scheduled task runs approximately every 12 hours to apply staged updates. IT teams should plan for phased rollout, firmware updates per device model, and validation time rather than treating this as a single-step update.