- Windows 11 and Windows 10 PCs will not stop booting when the 2011 Secure Boot certificates expire in June 2026.
- Microsoft is replacing the 2011 certificate infrastructure with newer 2023 certificates delivered through Windows Update.
- The majority of users don’t need to take action manually, as the migration is designed to happen automatically.
- Windows Security now includes indicators and alerts to help users determine whether their device is ready.
Over the last few weeks, I’ve received emails, comments, and messages from readers worried about Microsoft’s Secure Boot certificate expiration deadlines.
Some users think their Windows 11 (or Windows 10) computers will stop booting on June 27, 2026. Others are concerned about BitLocker, UEFI firmware updates, Secure Boot warnings, or whether they need to take action before the deadline.
After researching Microsoft’s support and testing the changes on several Windows devices, here are answers to the questions I see most often.
Is my PC going to stop booting on June 27, 2026?
No. This is by far the biggest misconception surrounding the Secure Boot certificate transition. When the 2011 Secure Boot certificates expire, your computer won’t suddenly refuse to start. The device will continue to boot normally.
The expiration mainly affects how systems process future trust updates, revocation lists, and newer boot components.
If you’re wondering what the actual risks are, I explain them in more detail in my guide on the security risks of Secure Boot certificates expiring in 2026.
Which certificates are actually expiring?
Microsoft is replacing several Secure Boot certificates introduced in 2011. The first deadline arrives on June 27, 2026, when the UEFI CA 2011 and KEK CA 2011 certificates expire. Later, in October 2026, the Windows Production PCA 2011 certificate also reached expiration.
The company has been preparing for this transition by deploying a new family of certificates issued in 2023 through Windows Update.
If you want a complete breakdown of the timeline and why Microsoft is making these changes, see my guide on Secure Boot certificates expiring in June 2026 on Windows 11.
How do I know if my computer is affected?
The easiest answer is that if you’re running Windows 10 or Windows 11 with Secure Boot enabled on older hardware, you’re likely affected by the transition.
That doesn’t mean your computer is in danger. It simply means Microsoft needs to update your system’s Secure Boot trust chain before the older certificates expire.
The best way to verify whether your devices are affected is to check the installed certificates and Secure Boot health information on your devices. I explain exactly how to do that in my guide on checking Secure Boot certificate expiration on Windows 11.
Do I need to do anything manually?
For most users, no. Microsoft designed the migration process to happen automatically through Windows Update. As long as your device is supported and receiving updates, the operating system should handle the deployment in the background.
In most cases, there is no need to modify firmware settings or manually install certificates.
Do I need to update my UEFI (BIOS) firmware?
Usually no. The Secure Boot certificate transition is primarily delivered through Windows Update, not through a motherboard firmware update.
However, some older devices may require firmware updates from the manufacturer if they don’t fully support the newer certificate infrastructure. If your system shows errors or fails to install the update, it’s worth checking whether your computer manufacturer has released a newer firmware version.
What do the Green, Yellow, and Red badges in Windows Security mean?
Microsoft recently added a Secure Boot details page to the Windows Security app. These indicators help explain whether your device is ready for the certificate transition:
- Green means the new 2023 certificates are installed.
- Yellow means the system is still using older certificates or waiting for deployment.
- Red means there is a problem that requires attention.
If you’re seeing one of these alerts, my guide on Secure Boot certificate alerts on Windows 11 explains what each warning means and what actions, if any, you should take.
How can I check if my PC already has the new certificates?
You don’t have to guess. Windows includes tools that allow you to verify which Secure Boot certificates are currently installed on your system.
I created a comprehensive guide showing how to check whether your computer already has the new Secure Boot certificates and confirm if you’re ready for the transition.
I found a new Secure Boot folder on my C: drive. Is it malware?
No. Windows 11 (and Windows 10) uses this folder as a temporary staging area for the new Secure Boot certificate files before they’re written to the motherboard’s firmware.
The folder is a legitimate part of Microsoft’s deployment process and shouldn’t be deleted.
Windows Security says “Older boot trust configuration.” Should I worry?
Usually not. In many cases, this warning simply means the migration process hasn’t completed yet. It doesn’t necessarily indicate a security issue or a problem with Secure Boot itself.
If the warning persists, follow the steps in my guide on fixing the “Older boot trust configuration” warning on Windows.
What happens if I ignore the certificate update?
Your device will probably continue to boot normally. However, over time, systems that don’t receive the newer certificates may be unable to process future Secure Boot revocation updates or trust newer boot components.
In other words, the immediate risk is low, but the long-term security implications are why Microsoft is encouraging users to migrate to the newer certificate infrastructure.
Can I manually install the new Secure Boot certificates?
Yes. Microsoft provides methods for manually deploying the newer certificates, and administrators can also automate the process using Group Policy, registry settings, and scheduled tasks.
For most home users, manual installation isn’t necessary. However, if you’re troubleshooting a deployment issue or managing multiple computers, manually installing the certificates may be helpful.
What happens if I reset my BIOS or clear the CMOS later?
This is one scenario that enthusiasts and network administrators should be aware of. Some motherboards may restore the original Secure Boot configuration after a BIOS (UEFI) reset or CMOS clear. If Windows 11 has already migrated to the newer certificates, the mismatch could trigger a Secure Boot violation error during startup.
Fortunately, the issue can usually be resolved by allowing the operating system to reapply the certificates or manually importing the newer keys through the firmware settings.
What if Secure Boot is disabled on my PC?
Systems with Secure Boot disabled generally won’t receive the certificate update.
Microsoft requires Secure Boot to be enabled before the newer certificates can be safely deployed. If you’ve intentionally disabled the feature, your system may remain on the older certificate infrastructure until Secure Boot is turned back on.
Do the Secure Boot certificates also affect Windows 10?
Yes. Although much of the discussion has focused on Windows 11, the Secure Boot certificate transition also affects supported Windows 10 devices.
The underlying Secure Boot infrastructure is shared across both operating systems, which means Microsoft is delivering the updated certificates to supported Windows 10 and Windows 11 systems.
Pureinfotech’s Take
I think the biggest issue with this Secure Boot transition is the confusion surrounding it. I’ve seen many users worry that their computers will stop booting when the certificates expire, but for most people, this should be a routine security update handled through Windows Update.
Are you concerned about the June 2026 Secure Boot certificate expiration?
Voting closes: June 30, 2026 1:00 pm
I do like that Microsoft is finally providing more visibility through Windows Security. The new alerts and status indicators make it easier to understand whether a device is ready without having to dig through firmware settings or PowerShell commands.
For most users, my advice is simple. Just keep Windows 11 (or 10) updated and don’t panic about the June 2026 deadline.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].