Millions of Windows 11 PCs could become unbootable starting in late June 2026, when Microsoft’s original Secure Boot certificate chain begins to expire. The expiration affects older devices that haven’t received updated 2023 certificates through Windows Update, potentially triggering BitLocker recovery prompts and boot errors. Microsoft has already begun rolling out the new certificates, but users with outdated firmware or those who rarely update may be caught off guard.
What’s Actually Happening with Secure Boot Certificates?
At the heart of the issue is the Secure Boot ecosystem, which relies on digital certificates to verify that only trusted code runs during startup. When you power on a Windows 11 PC, the UEFI firmware checks the bootloader, OS kernel, and drivers against a set of authorized signatures stored in the Secure Boot database. Microsoft acts as a Certificate Authority (CA) for many of those signatures, and its root certificates have a limited lifespan.
Specifically, Microsoft’s “Microsoft Corporation UEFI CA 2011” certificate—the one that signed boot components for a decade—will begin expiring as early as June 28, 2026. After that date, PCs still relying on that certificate will see boot-time signature checks fail. The system won’t trust the very code it needs to load Windows, leading to a blue-screen error, forced recovery mode, or a prompt to enter a BitLocker recovery key.
To avoid this, Microsoft released a replacement certificate chain in 2023: the “Microsoft Corporation UEFI CA 2023.” This new certificate is now being delivered to compatible systems through regular Windows Update, often bundled with cumulative updates. Once installed, the 2023 CA signs new boot files and coexists with the 2011 CA until the old one expires. In most cases, the update happens silently, and the PC continues to boot normally.
But not every Windows 11 machine gets the update automatically. Systems with Secure Boot disabled at the firmware level won’t receive it. Likewise, if the firmware doesn’t support the 2023 certificate’s hash algorithm or if the PC is air-gapped and never updated, the fix won’t land. Some OEMs may also ship their own custom keys, but Microsoft’s advisory makes clear that every Windows 11 device should have the 2023 CA installed before the deadline.
The Real-World Impact: Boot Failures and BitLocker Headaches
The practical fallout depends on who you are and how you use your PC.
For Home Users
Most home users won’t need to do anything, provided their PCs are online and regularly patched. But if you’re on Windows 11 with Secure Boot turned off—perhaps because you dual-boot Linux or run older hardware—you’re at risk. Come June 2026, the first reboot after the certificate expires could land you on a recovery screen demanding a BitLocker key you may not remember saving to your Microsoft account. Even without BitLocker, the machine may fail to load Windows entirely.
Scarier still: if you don’t notice until after the expiration, the standard recovery environment (WinRE) might also be affected, making repair tools unavailable. The only fix would be to boot from USB, disable Secure Boot temporarily, or restore from a disk image—provided you have one.
For IT Administrators
Enterprise fleets face a more complex challenge. Many organizations use images with older driver packages or customized boot loaders that might still be signed by the 2011 CA. If those components aren’t re-signed or updated before the expiration, entire batches of PCs could fail simultaneously. BitLocker recovery keys stored in Active Directory or Microsoft Endpoint Manager will become the only lifeline—assuming the recovery environment itself still works.
Admins should start auditing their hardware estate now. Dell, HP, Lenovo, and other major OEMs have already released firmware updates that incorporate the 2023 CA, but older models may not receive them. For custom-built or white-box systems, the motherboard manufacturer’s support page is the place to check.
For Developers and Testers
If you run virtual machines or test environments with Secure Boot enabled, the expiration may trip you up. Older ISOs or VMs that haven’t been updated may fail to boot after June 2026. Ensure your test images include the latest cumulative update that contains the 2023 certificate, or rebuild them from scratch with a current Windows 11 build.
How We Got to This June 2026 Expiration
Secure Boot first appeared with Windows 8 and UEFI firmware over a decade ago. Microsoft’s 2011 CA was embedded in virtually every Secure Boot–capable PC sold, and it was set to expire roughly ten years later. In practice, the certificate chain didn’t fail immediately on its 2021 expiration date because Microsoft issued a servicing update that prolonged its trust until June 2026. That extension gave OEMs and Microsoft time to prepare a seamless transition.
The 2023 replacement certificate was designed to be more agile, with support for modern cryptographic hashes and future revocation mechanisms. Microsoft began embedding it in Windows 11 builds as early as 2023, and by late 2024, the update was included in the monthly security rollups. However, the rollout has been deliberately gradual to avoid breaking legacy configurations. Microsoft’s documentation emphasizes that the 2023 CA is intended to replace the 2011 CA eventually, not to coexist indefinitely.
A similar expiration event occurred with the “Microsoft Windows Production PCA 2011” in early 2020, causing isolated boot failures on some older Windows 7 and 8.1 systems. That event taught Microsoft that proactive communication and automated update paths are critical. Hence, the company has been notifying partners and publishing advisories well ahead of the June 2026 cutoff.
Your Action Plan: Check and Update Now
No one wants to face a boot failure at an inconvenient moment. Here’s exactly what to do on each Windows 11 PC you rely on.
1. Confirm Secure Boot Is Enabled
Open System Information (type msinfo32 in the Start menu) and look for “Secure Boot State.” It should say “On.” If it’s off, reboot into your UEFI firmware settings, locate the Secure Boot option, and enable it. Save changes and restart. Note: enabling Secure Boot on an existing installation can cause boot issues if your disk partitions aren’t configured for UEFI; most Windows 11 PCs should already be set up correctly, but tread carefully.
2. Verify the 2023 Certificate Is Present
Open a PowerShell window as Administrator and run:
Get-SecureBootUEFI -Name db
This lists the authorized signature database entries. Look for an entry named Microsoft Corporation UEFI CA 2023. If you see it, your system is already protected. If it’s missing, proceed to step 3.
3. Install All Pending Windows Updates
Go to Settings > Windows Update and click Check for updates. Install everything offered, including optional updates. The 2023 CA is typically included in cumulative updates starting around KB502xxxx (the exact KB number varies by OS build). After the update installs and restarts, run the PowerShell command again to confirm the certificate now appears.
4. Update Your Firmware
Even with the 2023 CA in Windows, your UEFI firmware must know to trust it. Most OEMs have issued firmware updates that add the 2023 certificate to the board’s built-in allowed list. Check Settings > Windows Update > Advanced options > Optional updates for a firmware update from your OEM. If none appears, visit the manufacturer’s support site, search for your model, and install the latest BIOS/UEFI firmware. Dell, for example, labels updates that add the 2023 CA in their release notes as “UEFI CA 2023 support.”
5. Backup Your BitLocker Recovery Key
Before the expiration date arrives, make sure you know how to retrieve your BitLocker recovery key. Sign in to your Microsoft account at https://aka.ms/myrecoverykey and verify that every device you own has a key saved. For workplace PCs, contact your IT department to ensure keys are escrowed in Active Directory or Azure AD. Having the key handy can mean the difference between a five-minute fix and a complete reinstall.
6. What If You Miss the Deadline?
If June 2026 arrives and your PC refuses to boot, all is not lost. You can temporarily disable Secure Boot in your UEFI firmware settings to get back into Windows. Then, install the missing updates and firmware patches, re-enable Secure Boot, and you’re back in business. The process varies by motherboard vendor, so search for your model’s instructions ahead of time.
What Comes Next
The June 2026 expiration is not a sudden crisis but a predictable transition. Microsoft has learned from past certificate expirations and built a multi-year runway for this one. As the deadline approaches, expect more aggressive update prompts, possibly a dedicated Windows Update notification that checks your certificate status. The company may also publish a standalone tool to verify and fix affected systems.
For most users, the safest bet is simply to keep Windows 11 up to date and ensure Secure Boot stays enabled. Administrators should factor this into their long-term lifecycle management, treating the 2023 CA as a critical dependency for any machine still in service after mid-2026. The clock is ticking, but the fix is already available—you just need to make sure your PC has it.