Millions of PCs may lose protection: Microsoft sets critical update deadline
Microsoft warns Windows 11 users about major upcoming changes (photo: Unsplash)
In June 2026, one of the fundamental elements of modern computer security will reach the end of its lifecycle. The original Secure Boot certificates, which have governed hardware authentication in the Windows ecosystem since 2011, are officially set to expire, according to Windows Latest.
What is Secure Boot and why are the keys changing?
Secure Boot is an industry-standard security feature that ensures only trusted software approved by the hardware manufacturer (OEM) is loaded when a computer starts.
The system is based on a strict hierarchy of digital keys stored in the motherboard firmware. It verifies the signatures of drivers, EFI applications, and the OS bootloader against a dedicated database (DB), as well as checks a blacklist of compromised software (DBX).
The first certificates were embedded into firmware in 2011 with a 15-year validity period. In June 2026, their cryptographic validity expires.
To maintain the chain of trust, the OS must install new “Windows UEFI CA 2023” certificates into UEFI, after which Windows will begin using a bootloader signed with updated keys.
What happens if you ignore the June 2026 deadline?
Microsoft engineers reassure users that if a computer does not receive updated certificates by the deadline, it will not become a “brick” and will continue to boot normally. However, system security will gradually degrade.
First, critical bootloader updates will stop. Microsoft will no longer be able to sign low-level fixes with the old 2011 key, meaning devices without the 2023 certificates will stop receiving boot-related security patches.
Second, systems will become more vulnerable to rootkits — a type of hidden malware that gains administrative privileges and conceals itself along with other malicious software. Devices will also stop receiving DBX updates, leaving them exposed to new pre-boot attacks.
In addition, future Windows versions may no longer install on systems without updated keys, effectively blocking upgrades.
Installation and BitLocker compatibility
The update process is delivered automatically through Windows Update (LCU) and controlled feature rollouts (CFR).
Users may notice several restarts during installation — this is expected behavior as the system stages, activates, and applies new certificates in UEFI before rebooting into an updated bootloader.
Microsoft confirms full compatibility with BitLocker encryption and Virtual Secure Mode (VSM).
There is no need to manually suspend disk encryption — the system automatically reassigns access keys during reboots. However, on legacy BIOS systems or devices with Secure Boot disabled, the update will be skipped to avoid bootloader damage.
How to check Secure Boot status on your PC
Starting with recent Windows 11 updates, users can check readiness manually via: Windows Security Device security Secure Boot.
The system shows one of three statuses:
Green check: all certificates are updated, and the PC is ready for the deadline.
Yellow warning: new keys have been delivered but not yet written to firmware (often pending a reboot).
Red stop icon: update blocked due to incompatibility or motherboard limitations, with BIOS instructions provided.
For enterprise networks, Microsoft recommends avoiding blanket deployment of key updates and instead testing them on small device groups first, due to potential OEM-specific conflicts.
The next scheduled root certificate update is expected in 2038, when the industry is expected to begin a transition toward post-quantum cryptography.
