Three legacy Secure Boot certificates from 2011 will expire between June and October 2024. Windows 11 devices receive the 2023 replacement automatically, but older Windows 10 machines and some OEM firmware may lose the ability to get future boot‑level security updates, leaving them exposed to firmware attacks.
What’s changing on June 24
Microsoft’s 2011‑era Secure Boot certificates – the Microsoft Corporation KEK CA 2011, Microsoft UEFI CA 2011 and Microsoft Windows Production PCA 2011 – are reaching their end‑of‑life dates. The first two expire on June 24 and June 27, while the certificate that actually signs the Windows bootloader expires on October 19. After those dates the certificates are no longer trusted by the UEFI Secure Boot firmware on most Windows PCs.
Why the rollout matters
Secure Boot is the first line of defense against malicious firmware that tries to hijack the boot process. It relies on a chain of trusted certificates stored in the motherboard’s UEFI firmware. When a certificate expires, the firmware can still boot, but it will stop accepting new Secure Boot database updates, certificate revocation lists, and patches for newly discovered boot‑level vulnerabilities. In practice that means a system with expired certificates can no longer be hardened against threats like the BlackLotus boot‑kit.
How Microsoft is handling the transition
Since January 2024 Microsoft has been pushing a set of 2023 replacement certificates through Windows Update. Each monthly update adds the new certificates to the system’s Secure Boot store, and the latest cumulative update – KB5089549 – includes the final batch. Windows 11 devices on supported builds receive the update automatically, and the new certificates appear in the Secure Boot section of Windows Security.
What happens if you miss the update?
- The PC will still boot normally.
- Standard Windows updates continue to install.
- The machine cannot receive future Secure Boot firmware updates or revocation lists.
- Any boot‑level exploit discovered after the expiry date has no official patch path.
Who is at risk?
| Device group | Likely status after June 24 | What to do |
|---|---|---|
| Windows 11 on supported builds | Updated automatically, certificates present | Verify in Windows Security → Device security → Secure Boot. |
| Windows 10 (version 22H2) on supported hardware | Receives the 2023 certificates via Windows Update, but only if the OEM firmware still trusts the new chain. | Run the latest cumulative update, then check the Secure Boot status. |
| Windows 10 outside the Extended Security Updates (ESU) program | No new certificates will be delivered. | No official remediation; consider upgrading OS or contacting OEM for a firmware fix. |
| Very old OEM hardware that no longer receives firmware updates | Firmware may still anchor the 2011 certificates, preventing the new chain from being accepted. | Contact the OEM; if no firmware update exists, the only safe path is to replace the device. |
How to verify your certificate status
- Open Windows Security.
- Select Device security.
- Click Secure Boot. The panel will list the active certificates; look for entries dated 2023.
- For a deeper view, run
certutil -store TrustedPublisherin an elevated Command Prompt and locate entries named Microsoft UEFI CA 2023.
Microsoft’s support article KB5062710 explains the expiration timeline and provides step‑by‑step guidance for checking and troubleshooting the certificate chain.
What OEMs need to do
The new certificate chain must be anchored directly in the UEFI firmware. Some manufacturers have already released BIOS/UEFI updates that add the 2023 root keys. Devices that lack such firmware updates will continue to rely on the expired 2011 keys, even if Windows installs the newer certificates. In those cases the firmware will reject any future Secure Boot database updates, effectively freezing the boot‑level security posture.
Bottom line
- Windows 11 users: let the automatic updates run and double‑check the Secure Boot panel.
- Windows 10 users on supported hardware: apply the latest cumulative update and verify the new certificates.
- Legacy hardware owners: if the OEM has stopped releasing firmware, you may need to replace the machine to maintain a secure boot chain.
Staying on top of this certificate expiration is the simplest way to keep the firmware layer of your PC protected against emerging threats.
Comments
Please log in or register to join the discussion