A ticking clock is now running on one of Windows' most fundamental security protections. Microsoft has confirmed that the original Secure Boot certificates protecting virtually every Windows PC manufactured since 2011 will begin expiring this June, potentially exposing millions of devices to sophisticated boot-level malware attacks.
The expiration marks the first major overhaul of Secure Boot's cryptographic foundation in 15 years. Secure Boot—a UEFI firmware feature that validates only digitally-signed code can execute during system startup—has quietly safeguarded the boot process before Windows even loads. Without updated certificates, devices enter what Microsoft calls a "degraded security state," vulnerable to bootkit threats like BlackLotus, which exploits the pre-boot environment.
"After more than 15 years of continuous service, the original Secure Boot certificates are reaching the end of their planned lifecycle," Microsoft's Windows partner director, Nuno Costa, stated in a blog post.
For most users, the transition should be seamless. Microsoft is automatically deploying updated 2023 certificates through Windows Update on supported systems—primarily Windows 11 machines and Windows 10 devices enrolled in Extended Security Updates. PCs manufactured since 2024 already ship with the new certificates baked in.
The real concern centres on legacy systems. Devices running unsupported Windows versions won't receive the critical updates, leaving an estimated hundreds of millions of machines potentially at risk. While these systems will continue functioning normally after June, they'll gradually lose compatibility with newer software and drivers expecting current security standards.
Adding complexity, some devices require manufacturer-specific firmware updates before accepting Microsoft's certificate refresh. IT administrators managing enterprise fleets face a coordination challenge across disparate hardware configurations, with deployment options ranging from Intune policies to PowerShell scripts.
Microsoft has published a comprehensive playbook for organisations, emphasising the need to inventory devices and verify Secure Boot status now.
What You Should Do:
Check your PC's certificate status by searching "Device Security" in Windows Settings. Ensure Windows Update is enabled and your system is on a supported OS version. Organisations should review Microsoft's deployment guidance and coordinate with OEMs for any required firmware updates before the June deadline.