Microsoft’s Secure Boot transition has reached a sensitive point, and older Windows PCs are the ones most likely to feel the impact. Beginning on 24 June, certificates from the 2011 Secure Boot era start expiring, which narrows the path for future boot security updates even though affected devices will continue to start normally.
The change matters because Secure Boot operates before Windows fully loads. If the older certificates are left to expire without proper replacement, firmware protection can fall behind while the operating system itself still appears to work as usual.
Three certificates are entering end-of-life
Microsoft is dealing with three separate certificates, each with its own deadline. Microsoft Corporation KEK CA 2011 expires on 24 June, Microsoft UEFI CA 2011 follows on 27 June, and Microsoft Windows Production PCA 2011 reaches its end date on 19 October.
Among them, Microsoft Windows Production PCA 2011 is the most critical. It signs Windows bootloaders, so the October deadline is especially important for keeping the boot chain trustworthy over the long term.
Microsoft has already begun rolling out replacement 2023 certificates through Windows Update. That process started in January and has continued through monthly updates, including KB5089549 released this month.
A PC may still boot, but protection weakens
Devices that still rely on expired certificates will not suddenly stop working. Microsoft says they should continue booting normally and still receive standard Windows updates.
The limitation is more subtle. Those systems will no longer be able to receive new Secure Boot databases, certificate revocation lists, or patches for newly discovered boot-layer vulnerabilities. That leaves the firmware layer less protected against attacks that target the early boot process.
This is where threats such as BlackLotus become relevant. If certificate replacement does not happen, the device loses an important path for updating defenses against newer firmware-level attacks.
Older hardware faces the biggest risk
Windows 11 systems on supported builds are already being updated automatically. The more difficult cases are older devices and unsupported Windows 10 machines.
Windows 10 users outside the Extended Security Updates program will not receive the new certificates. For those devices, there is no remediation path after 24 June.
Some older PCs also require firmware updates from the OEM that match Microsoft’s certificate rollout. The new certificate chain must be anchored directly to UEFI firmware, and that means operating system updates alone may not be enough.
If the manufacturer has stopped providing firmware updates, a device may remain tied to the 2011 certificate chain even if Windows itself is installed and fully updated. In that scenario, the system stays functional, but it does not move to the newer trust chain.
How users can check status
Secure Boot status can be checked in Windows Security by opening Device Security and then the Secure Boot section. Microsoft also points users to support guidance under KB5062710, which explains what the expiration means and what to do if the update has not yet been applied.
Microsoft recommends installing the latest updates and reviewing status through KB5062710. If the 2023 certificates still do not appear on a fully updated system, users are advised to contact OEM support.
That step is especially important for PCs that depend on older firmware and limited manufacturer support. On those machines, certificate expiration is not just a technical detail, but a factor that determines whether the boot protection path can still be updated.
Source: www.notebookcheck.net