Skip to main content
TechnologyMay 27, 2026· 2 min read

Windows Secure Boot: Certificates Expire in June, What Risks Do PCs Face?

In June 2026, the Secure Boot certificates originally issued by Microsoft in 2011 for Windows devices will officially expire. The Redmond company has already begun distributing new security keys, named UEFI CA 2023, using the standard Windows Update channel to reach all eligible devices. This was discussed by some Microsoft executives in the security sector during an Ask Microsoft Anything session on YouTube.

It's worth noting, however, that Windows 11 machines produced starting in 2024 are already aligned, as they leave the factories with the new integrated certificates or have already absorbed the patch over the past months. For older machines, compatibility can be directly checked by the user within the Windows Security app. The update package will be installed automatically on supported systems, although Microsoft clarified that some specific hardware configurations may require an additional step, namely the installation of a custom firmware update released by the respective OEM manufacturer.

What Happens to Windows Computers That Don't Update

The Secure Boot feature is crucial for defending the Windows ecosystem, as it protects the PC by preventing malicious code from loading before the operating system itself starts. Through a real chain of custody, the functionality analyzes and validates the digital signatures of each piece of software involved in the boot phase, including UEFI firmware drivers, EFI applications, and the operating system kernel, ensuring that only services deemed trustworthy by the manufacturer are initiated.

Failing to switch to the new cryptographic keys will not cause an abrupt shutdown of the operating system. Microsoft’s security engineers have confirmed that unupdated PCs will continue to function normally and receive the usual monthly security updates. The real weak point will relate to the inability to support the latest and most advanced protections dedicated to the initial boot phase. This gap will expose PCs to concrete risks from firmware-level threats, such as bootkits, firmware rootkits, and boot sector viruses, capable of embedding themselves in deep areas of the hardware where normal antivirus solutions cannot operate.

Old computers still using legacy BIOS firmware will not suffer any consequences and will completely skip the update procedure, due to total physical incompatibility with Secure Boot technology. A different case applies to machines using the Compatibility Support Module (CSM) to emulate the old BIOS while running on a motherboard with modern UEFI firmware: in this specific case, the systems remain compatible with the protection specifications and will receive the new key in a manner entirely analogous to more modern PCs.