Microsoft’s June 2026 Secure Boot certificate expiry will force IT admins to confront a stealthy security erosion across Windows fleets. During a recent AMA, the company warned that affected devices may continue to boot after the deadline, but silently drop into a non-compliant state that disables Secure Boot protections. The result: BitLocker recovery keys could proliferate, Intune compliance policies will break, and attackers will find a widening window to implant pre-boot malware.

The issue centers on the Secure Boot Authority (CA) certificates that Microsoft first distributed with Windows 8 in 2011. These root certificates authenticate shim loaders and third‑party boot components before the OS kernel loads. After June 13, 2026, those certificates expire, and UEFI firmware that hasn’t been updated will reject firmware that relies on the old signing chain. The catch is that many systems won’t stop working outright—they will fall back to a mode where Secure Boot is effectively turned off, often without any visible warning to the end user.

The Clock Is Ticking: Secure Boot Certificates Set to Expire

On June 13, 2026, the original Secure Boot CA certificates that Microsoft shipped with Windows 8 and Windows Server 2012 will hit their hard-coded expiration date. These certificates are embedded in the UEFI firmware of hundreds of millions of devices—desktops, laptops, tablets, and servers—manufactured between 2012 and roughly 2021. While newer hardware ships with refreshed certificates that don’t expire until 2035 or later, the mid‑range fleet is squarely in the crosshairs.

Microsoft’s Security Response Center has been quiet about the deadline outside of technical channels, but the recent “Ask Microsoft Anything” (AMA) session on Secure Boot broke that silence. Company engineers fielded questions from enterprise admins who are already seeing test devices behave unpredictably as they simulate a post‑expiry date. The prevailing message: don’t assume your fleet will be fine just because Windows 11 boots.

Understanding the 2011‑era Secure Boot Certificates

Secure Boot works by validating each piece of boot‑time code against a database of allowed signatures (the “db”) and a list of forbidden signatures (the “dbx”). The CA certificates that sign those allowed entries are themselves anchored in the UEFI’s platform key (PK) and key exchange key (KEK). The certificates expiring in 2026 are two specific Microsoft Windows Production PCA 2011 certificates and the associated Microsoft Corporation UEFI CA 2011 certificate.

These certificates have a notAfter field of June 13, 2026, 17:00 UTC. After that moment, any UEFI firmware that enforces certificate validity will refuse to load boot applications signed by a chain that includes the expired certificate. In practice, this means that operating system loaders, third‑party option ROMs, and peripheral firmware signed with the 2011 CA chain will be treated as untrusted.

Microsoft has been pre‑emptively moving to a newer PCA 2023 certificate and has already signed Windows boot managers with that chain. However, firmware updates that trust the new certificate must be deployed by the device manufacturer—and many older devices will never receive such updates.

Why This Expiry Matters for Windows Fleets

The immediate impact is not a blue screen or a boot failure. Instead, most UEFI implementations will detect that the bootloader’s signature chain has expired and will fall back to a “degraded” Secure Boot state. In this state, Secure Boot is functionally disabled: the firmware still reports “Secure Boot: On” in some interfaces, but it no longer enforces signature checks. This silent degradation is the nightmare scenario for security teams because it opens the door to bootkits, rootkits, and other pre‑boot malware without any obvious indicator of compromise.

For enterprise Windows fleets, the consequences cascade. BitLocker drive encryption relies on Secure Boot to establish a trusted platform module (TPM) measurement chain. When Secure Boot drops into a degraded state, the TPM’s Platform Configuration Registers (PCRs) may reflect a different boot path, invalidating the BitLocker seal. The next time the device boots, BitLocker will demand a recovery key—a user‑facing incident that can flood helpdesks.

Intune and other mobile device management (MDM) platforms will also lose their grip. Compliance policies that mandate “Secure Boot enabled” will report devices as non‑compliant, even though the device still shows the feature as on. Conditional Access rules may then block those devices from corporate resources, creating a self‑inflicted denial of service.

The Silent Boot: How Devices May React After June 2026

Microsoft’s AMA made one point emphatically: “Windows fleets may keep booting after the deadline while silently” disabling the very protections admins think are active. The exact behavior depends on the UEFI vendor and firmware version:

  • Intel‑based systems with AMI Aptio firmware: Often drop into “Setup Mode” where Secure Boot is technically on but no signature checks occur.
  • Dell and Lenovo systems with Phoenix SecureCore: May show a POST warning about expired certificates, but continue to boot after a timeout.
  • Surface devices: Microsoft has committed to providing updated firmware for all in‑support Surface devices, but legacy hardware like Surface Pro 4 will remain exposed.
  • Arm‑based devices (Windows on Arm): Tend to enforce Secure Boot more strictly and may refuse to boot entirely if the certificate is expired, potentially bricking the device until firmware is recovered.

The disparity in behavior is what makes the deadline so dangerous. IT departments cannot rely on a single testing profile; they must validate every hardware model in their environment.

BitLocker and Secure Boot: A Tangled Dependency

BitLocker’s default protection uses PCR 7 validation, which measures the Secure Boot configuration. When Secure Boot is in a non‑enforcing state, the measurement changes, and BitLocker will trigger recovery. A fleet‑wide recovery event on June 14, 2026 would be a disaster: thousands of employees locked out of their machines, each requiring a 48‑digit recovery key.

Admins who have turned on “Configure the use of hardware‑based encryption for fixed data drives” or “Allow secure boot for integrity validation” group policies will be hit hardest. Even if the recovery key is entered and the machine boots, BitLocker will re‑seal incorrectly the next time the device restarts, creating an infinite recovery loop.

Microsoft’s existing documentation on “BitLocker recovery scenarios” does not yet explicitly cover an expired Secure Boot certificate, leaving admins to piece together the puzzle from test results.

Intune Management: The Compliance Conundrum

Intune’s device compliance engine reads the Secure Boot state from the device’s firmware. However, the API used by the Windows health attestation service reports “SecureBootEnabled” as a Boolean, not whether the certificates are actually being enforced. In a degraded state, the flag will still return “true,” but the device is not genuinely secure. Conditional Access policies that trust this flag will permit compromised devices onto the network.

Worse, Intune’s default compliance policy for Windows 10/11 already includes “Require Secure Boot to be enabled” as a recommended setting. After the expiry, devices with outdated firmware will be non‑compliant in spirit but compliant in reporting. Microsoft has not yet released an updated health attestation service that detects degraded Secure Boot, making it impossible to craft accurate compliance policies out‑of‑the‑box.

What Microsoft Revealed in the AMA

The AMA offered several concrete takeaways for enterprises:

  • No automatic remediation via Windows Update: Microsoft will not push firmware updates through Windows Update that embed the new 2023 certificates. Firmware updates remain the responsibility of the original equipment manufacturer (OEM).
  • Windows itself will not notify users of the expiry: There will be no toast notification, event log entry, or health check that warns about the expiring certificates. Admins must rely on external tooling or custom scripts.
  • The “Microsoft Third Party UEFI CA” is also affected: Any add‑in cards, Thunderbolt devices, or network boot firmware signed by the 2011 CA will become untrusted, potentially breaking PXE boot, docking stations, and peripheral firmware updates.
  • Server fleets are just as vulnerable: Windows Server 2012 R2 and later that rely on the 2011 certificates for Secure Boot face the same degraded boot scenario, which is particularly concerning for Hyper‑V hosts and bare‑metal domain controllers.

Microsoft’s official guidance during the AMA was to audit the fleet immediately, engage OEMs for firmware updates, and prepare a backup plan that includes temporarily disabling Secure Boot through UEFI settings if a device cannot be updated before the deadline.

Steps Enterprises Must Take Now

With the deadline fixed, action cannot wait. Here is a prioritized checklist for IT administrators:

  1. Inventory every device that boots Windows: Collect firmware revision, UEFI vendor, and Secure Boot certificate validity dates. PowerShell scripts using Confirm-SecureBootUEFI and WMI queries can extract the root certificate store from the running system.
  2. Identify out‑of‑support hardware: Any device that no longer receives firmware updates from its manufacturer is a candidate for replacement or, at minimum, special handling.
  3. Engage OEMs for firmware update roadmaps: Dell, HP, Lenovo, and others are aware of the expiry and may have beta firmware available. Demand explicit confirmation that the new firmware trusts the Microsoft PCA 2023 certificates.
  4. Test degraded Secure Boot behavior per model: Use a test bench to advance the system clock past June 13, 2026 and observe BitLocker behavior, boot path, and Intune compliance reporting.
  5. Deploy updated Secure Boot policies: If Intune cannot detect degraded Secure Boot, consider using a custom compliance script that verifies certificate validity via the UEFI variable exposed through Windows Management Instrumentation.
  6. Plan for BitLocker recovery key distribution: Ensure that recovery keys are securely stored and that helpdesk staff are trained on the increased call volume. Develop a user communication that explains the one‑time recovery prompt without causing panic.
  7. Build a fallback process: For devices that cannot be updated, document a manual procedure to disable Secure Boot outright (which removes the BitLocker dependency) and apply compensating controls such as application control policies or network segmentation.

Timeline and Key Dates

Date Milestone
Now – Q3 2025 Audit fleet, test devices, engage OEMs
Q4 2025 – Q1 2026 Deploy firmware updates to pilot groups
Q1 2026 – May 2026 Rollout firmware updates fleet‑wide via Windows Update or management tools
June 13, 2026 Certificate expiry; activation of fallback plans for any remaining vulnerable devices
Post‑June 2026 Monitor BitLocker recovery events, Intune compliance status, and helpdesk tickets for unexpected boot failures

A Looming Security Headache for IT Admins

The June 2026 Secure Boot certificate expiry is not the sort of crisis that makes headlines with a single catastrophic failure. It is, instead, a slow‑burn compliance and security disaster that will unfold over the days and weeks following the deadline. Enterprises that delay preparation will find themselves fighting simultaneous BitLocker recovery storms, conditional access lockouts, and—most critically—a silent open door for firmware‑level attacks.

Microsoft’s AMA made it clear that the burden lies squarely on device manufacturers and IT departments. There is no silver bullet patch from Redmond. The only safe path is a meticulous, hardware‑by‑hardware firmware refresh that must be completed before the certificate notAfter timestamp passes. For IT admins, the countdown has already begun.