Microsoft’s Secure Boot deadline has arrived, but most PCs will not feel an immediate break. The bigger issue is what happens next: systems that miss the migration to the newer 2023 certificate chain may lose access to the security updates that protect the boot process itself.
That matters because Secure Boot operates before Windows fully loads. If a device remains on the older key chain, it can keep running for now, yet it may no longer receive the patches that update Windows Boot Manager, the Secure Boot database, and the DBX revocation list.
Why the change matters
The switch is part of a wider move away from the 2011 key chain used on billions of motherboards. Microsoft designed the transition as a background infrastructure change, not a sudden shutdown, so normal booting should continue on most machines.
The concern is security exposure over time. Without the migration, a PC may become more vulnerable to low-level firmware threats that traditional antivirus tools cannot see early enough.
One of the clearest examples is BlackLotus, a bootkit that can infect a system before regular security software has a chance to start. That is why the certificate change is more than a routine firmware update.
What most users will notice
For many owners, the update will arrive quietly through Windows Update. In that process, Microsoft will replace the old key with Microsoft Corporation KEK 2K CA 2023 with minimal user involvement.
Even so, the transition is not finished. Microsoft UEFI CA 2011 is scheduled to expire in three days, on June 27, which means the Secure Boot chain is still in the middle of a broader handover.
PCs built from 2024 onward are generally better prepared because they usually ship with the newer keys already in place. Those machines are less likely to face the same migration concerns as older systems.
Older hardware may need manual action
The more difficult cases are older boards and custom-built systems. Some legacy motherboard architectures may require a manual BIOS flash to support the larger cryptographic key size used by the 2023 certificate.
Technicians have also reported a higher failure rate on Windows 11 machines that previously relied on workarounds to bypass CPU or TPM checks. That makes the migration uneven, even though the end goal is the same across all supported devices.
For users, the key point is simple: the problem is not a sudden boot failure today, but a gradual loss of protection if the device does not move to the new Secure Boot chain. Once that happens, the weakest layer of the boot process becomes harder to secure with each missed update.