Secure Boot Certificates Expire in June 2026: The Silent Deadline Most IT Teams Aren’t Ready For

Key Takeaways

• Microsoft’s original 2011 Secure Boot certificates begin expiring on June 24, 2026, with the Windows Production PCA 2011 following in October 2026.
• Affected devices include virtually every Windows PC and server shipped since 2012, including Windows 10, Windows 11, and Windows Server 2012 through 2025.
• Devices that miss the transition will continue to boot and function, but will lose the ability to receive security updates for the Windows Boot Manager and Secure Boot components, creating a degraded security state vulnerable to bootkit malware.
• Windows client devices receive the new 2023 certificates automatically through Windows Update, but Windows Server requires manual deployment via registry keys or Group Policy.
• Unsupported systems, including Windows 10 devices not enrolled in Extended Security Updates, will not receive the new certificates at all.
• Organizations should begin auditing their fleet, verifying OEM firmware readiness, and deploying updates well before the June 2026 deadline.

A Cryptographic Deadline Hiding in Plain Sight

Most IT operational deadlines arrive with plenty of warning. End-of-support dates get announced years in advance, vendors publish migration guides, and analyst coverage builds steadily until the transition hits. The Secure Boot certificate expiration scheduled for June 2026 has not followed that pattern. Despite affecting nearly every Windows device manufactured in the last 14 years, the expiration has received little attention outside of deep technical circles, leaving many organizations unaware that a foundational security component of their fleet is quietly approaching a hard cryptographic limit.

The stakes are not theoretical. Secure Boot is the mechanism that verifies the integrity of the Windows startup process, ensuring that only trusted software loads before the operating system itself. It relies on a chain of cryptographic certificates, known as certificate authorities, embedded in device firmware. Those certificates, issued by Microsoft in 2011, were designed with a 15-year lifespan. That clock is now running out.

What Is Actually Expiring and When

Three Microsoft certificates reach their expiration dates across 2026. The Microsoft Corporation KEK CA 2011 and the Microsoft Corporation UEFI CA 2011 expire first, on June 24, 2026. The Microsoft Windows Production PCA 2011, which signs the Windows bootloader itself, expires in October 2026. Each of these certificates serves a distinct role: the KEK controls which entities can update the Secure Boot database, the UEFI CA validates third-party bootloaders and option ROMs, and the Production PCA signs the Windows Boot Manager.

Microsoft has issued replacement 2023 certificates to maintain continuity. The new certificate structure also introduces a meaningful architectural change. The original 2011 UEFI CA signed everything from bootloaders to option ROMs in a single trust anchor. The 2023 update splits this into two distinct certificates, allowing administrators finer control over which types of firmware components are trusted on a given system. This separation matters for regulated environments where limiting trust boundaries is a compliance requirement, as outlined in Microsoft’s official Windows IT Pro advisory on the 2026 Secure Boot transition.

Which Devices Are Affected

The scope of affected devices is broader than most administrators realize. Any physical or virtual machine running a supported version of Windows 10, Windows 11, Windows Server 2012, 2012 R2, 2016, 2019, 2022, or 2025 is affected, including long-term servicing channel editions. This encompasses everything from the oldest surviving domain controllers to the newest Surface laptops. Generation 2 Hyper-V virtual machines are also in scope, though Generation 1 VMs, which do not support Secure Boot, are not.

Devices shipped from OEMs in 2024 and later were increasingly provisioned with both the 2011 and 2023 certificates at the factory, and nearly all devices shipped in 2025 include them. That still leaves an enormous installed base of production hardware that requires action. For organizations managing mixed fleets of laptops, desktops, and servers, the practical challenge lies in identifying which devices have already received the new certificates and which still need them.

What Happens If a Device Misses the Deadline

A device that reaches June 2026 without the 2023 certificates will not stop working. It will continue to boot normally, run applications, and install regular Windows updates. The damage is more subtle and accumulates over time. Once the 2011 certificates expire, the device can no longer install security updates for the Windows Boot Manager or the Secure Boot components themselves. If a new boot-level vulnerability is discovered, as happened with the BlackLotus UEFI bootkit tracked as CVE-2023-24932, the affected device will have no path to receive the mitigation.

This is what Microsoft has described as a degraded security state. The device remains functional but becomes progressively less protected as new threats emerge. Bootkit malware is particularly dangerous because it loads before the operating system and before antivirus software, making it difficult or impossible to detect with conventional endpoint tools. For organizations in regulated industries, running devices in this state may also create compliance exposure, since most frameworks require timely application of security patches to protective controls. Businesses with formal regulatory obligations should factor this into their planning alongside existing compliance program reviews.

The Critical Difference Between Client and Server Deployment

One of the most important operational details of the 2026 transition is that Windows client and Windows Server behave differently. Windows 10 and Windows 11 devices receive the new 2023 certificates automatically through the regular monthly Windows Update process, delivered via Controlled Feature Rollout. For organizations that allow Microsoft to manage updates, the transition should require little to no manual intervention on client devices.

Windows Server is a different story. Server systems do not receive the 2023 certificates automatically. IT administrators must manually deploy them using registry keys or Group Policy settings. Windows Server 2025 certified hardware already includes the new certificates in firmware, but every earlier supported version, from Server 2012 through Server 2022, requires explicit action. This is the single most common blind spot in current Secure Boot planning, and it disproportionately affects small and midsize businesses that lack dedicated server engineering teams. Organizations without in-house expertise may want to engage a virtual CIO or CTO to coordinate the rollout across their server estate.

Windows 10 and the Extended Security Updates Gap

Windows 10 reached end of support on October 14, 2025, which creates an additional wrinkle in the Secure Boot timeline. Devices running unsupported versions of Windows 10 do not receive Windows updates and will therefore not receive the new certificates. Organizations that enrolled eligible Windows 10 systems in the Extended Security Updates program can still receive the certificate updates, but only for as long as their ESU coverage remains active.

For businesses still running Windows 10 fleets into 2026, this creates a compounding risk. The operating system itself is out of mainstream support, the ESU program pricing doubles each year, and the Secure Boot certificates underneath it are about to expire. The most cost-effective path for most organizations remains migration to Windows 11, a transition covered in greater depth in the guide to upgrading from Windows 10 to Windows 11.

What IT Operations Teams Should Do Right Now

Preparation for the June 2026 deadline should be treated as a discrete project with defined milestones rather than an ambient update task. A practical approach begins with inventory. Administrators need a clear accounting of every Windows device in the environment, including virtual machines, and its current certificate status. Starting in April 2026, the Windows Security app surfaces this information directly on client devices under Device Security, showing whether the 2023 certificates have been applied and whether any action is needed.

The next step is firmware readiness. Some devices, particularly those manufactured before 2020, may require an OEM firmware update before they can accept the new certificates. Administrators should check with device manufacturers to confirm that firmware updates are available and that their platforms are on the supported list. Devices outside their OEM support window may not receive the necessary firmware updates at all, which effectively forces a hardware refresh decision and ties the Secure Boot deadline into broader IT asset lifecycle planning.

Server environments require the most attention because of the manual deployment requirement. Administrators should identify all Windows Server instances, validate the current firmware version, test the certificate deployment on a non-production system, and then stage the rollout across production servers using established backup and recovery practices to protect against any unexpected boot issues. Documented maintenance windows and rollback procedures are essential, particularly for domain controllers and line-of-business application servers.

The Broader Operational Picture

The Secure Boot certificate expiration is not an isolated event. It coincides with a cluster of Microsoft end-of-support milestones in 2026, including SQL Server 2016 in July, Office LTSC 2021 in October, and the final ESU year for Windows Server 2012 and 2012 R2, also in October. Organizations that have deferred modernization are now facing a concentrated period where multiple foundational systems require attention at the same time. Treating these as separate projects invites resource conflicts and last-minute scrambles. Treating them as a coordinated modernization effort, ideally with managed IT support backing the execution, produces better outcomes and lower total cost.

The June 2026 deadline will not cause catastrophic failures on day one. What it will do is quietly erode the security posture of unprepared fleets, day by day, as new boot-level vulnerabilities emerge and unpatched systems accumulate risk. Acting now, while the certificates are being rolled out automatically and OEM support remains available, is meaningfully cheaper and less disruptive than responding after the deadline has passed.

By Thomas McDonald