Windows PCs running Secure Boot rely on certificates issued back in 2011 to ensure boot-time security. Starting June 24, these certificates will expire, raising questions about how this affects device security and update paths.
- Three critical Secure Boot certificates expire between June and October 2023.
- Expired certificates don’t stop PCs from booting but block future Secure Boot updates.
- Windows 11 systems on supported builds receive automatic certificate updates; older Windows 10 and unsupported devices may not.
- OEM firmware updates are necessary on some devices to fully support the new certificates.
Certificates Expire in Staggered Phases
The Microsoft Corporation KEK CA 2011 certificate expires on June 24, followed by the Microsoft UEFI CA 2011 on June 27. The most critical deadline is October 19, when the Microsoft Windows Production PCA 2011 certificate expires. This last certificate signs the Windows bootloader, making its expiration pivotal for maintaining boot integrity over time. Microsoft has been rolling out replacement 2023 certificates through monthly Windows Updates since January.
What Changes After Certificate Expiry?
Your PC will continue to boot normally and receive standard Windows updates even after these certificates expire. However, the trade-off is losing the ability to receive new Secure Boot database updates, certificate revocation lists, and patches for boot-layer vulnerabilities. This exposes devices to potential firmware-level exploits without a patching path. Notably, attacks like BlackLotus have targeted these boot-layer weaknesses.
Checking and Updating Your Device
Users can check their Secure Boot certificate status in Windows Security under Device Security. Microsoft’s support article KB5062710 provides guidance on the expiration and update process. Windows 11 users on supported builds generally receive the new certificates automatically. However, Windows 10 users outside the Extended Security Updates program may not, representing a security risk.
Firmware Updates Are the Bigger Question for Older Devices
New Secure Boot certificates require matching OEM firmware updates because the certificate chain anchors directly in UEFI firmware. Devices from manufacturers that no longer provide firmware updates may remain on the expired 2011 certificates despite Windows updates. The practical recommendation is to apply all available Windows updates, verify certificate status, and if updates are missing, contact your device OEM for potential firmware support.
The trade-off is clear: while most devices will continue functioning, the inability to patch future boot-level vulnerabilities on some older or unsupported hardware could pose a growing security concern. Buyers and users should weigh the risks, especially if their PC is used in sensitive or security-critical environments.
Consider it if you have a supported Windows 11 device or regularly update your system and firmware. Skip it if you rely on older Windows 10 hardware without extended support or firmware updates, as boot security protections will degrade over time.
(Via)
