Windows 11 PCs face changes if Secure Boot deadline missed in June 2026

The deadline is approaching for one of the most critical security components inside your Windows PC. By June 2026, the original Secure Boot certificates that have protected Windows hardware since 2011 will officially expire. To prevent widespread vulnerabilities or boot failures, Microsoft is executing a large-scale, multi-year transition to the new 2023 Secure Boot certificates. Because this process directly modifies the UEFI firmware on your motherboard, it is a delicate operation.

To address widespread confusion, Microsoft hosted a detailed “Ask Microsoft Anything” (AMA) session in March 2026, featuring Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Group Engineering Manager Richard Powell. I reviewed the full AMA and conducted additional research to provide a clear, comprehensive breakdown of how the update works, what happens if you ignore it, and how enterprises should handle edge cases.

TLDR: If you miss the June 2026 Secure Boot certificate deadline, your Windows 11 PCs will still boot and run normally. However, your system security will permanently degrade because Microsoft will stop sending boot-critical updates and malware blacklists (DBX revocation lists). You can check your Secure Boot status in the Windows Security app.

What is Secure Boot, and why is it changing?

Secure Boot is a security standard developed by the PC industry to ensure a device boots using only software trusted by the Original Equipment Manufacturer (OEM). When your PC starts, the firmware checks the cryptographic signature of each boot component, including UEFI firmware drivers, EFI applications, and the operating system’s Boot Manager. This system relies on a hierarchy of keys:

• PK (Platform Key): Owned by the OEM, it controls access to the KEK.The original 2011 certificates are nearing cryptographic expiration in 2026. Microsoft must push the new 2023 certificates to the firmware, swap the Boot Manager to a version signed by the new keys, and eventually stop trusting the old ones. As part of this rollout, Microsoft confirmed that the new Secure Boot folder in Windows 11 is not a bug and should not be deleted. This folder is simply where the OS stores cryptographic files before flashing them to your motherboard.

Older hardware and disabled Secure Boot will block the update

During the AMA, a key question involved older hardware: What happens if you force the update on a device still using Legacy BIOS? Scott Shell confirmed that the update process is smart enough to skip such devices. If your machine runs on a literal Legacy BIOS, it is physically incapable of Secure Boot. The system registers as SecureBootCapable = False and SecureBootEnabled = False, so Windows will skip the update entirely. Additionally, if your device uses a Compatibility Support Module (CSM) to emulate legacy BIOS but still has UEFI and Secure Boot capabilities, the update will process normally.

Another common scenario is when Secure Boot is disabled in the BIOS. Microsoft intentionally errors out the update process if Secure Boot is turned off, due to the inconsistent UEFI ecosystem. Some motherboard firmware can update certificates while the feature is disabled, while others will corrupt the boot sequence or change certificates abruptly when toggled back on. To avoid bricking systems, Microsoft requires Secure Boot to be actively running. If your device refuses to boot Windows with Secure Boot enabled, you must resolve BIOS misconfigurations (often related to MBR vs. GPT disk formatting) before receiving the 2023 certificates.

The update process is BitLocker aware but involves multiple reboots

Updating firmware is risky, which is why Microsoft is rolling this out in phases via Controlled Feature Rollouts (CFR) and Latest Cumulative Updates (LCU). Users have noticed unusual reboot behavior after applying the update. Richard Powell confirmed that Windows 11 may restart multiple times after updates, and your PC is not broken. Pushing data into the firmware requires one reboot to stage the certificates, another for the firmware to apply them, and a subsequent reboot to load the newly signed bootloader. While automated flows try to hide this early in the boot sequence, manual triggers make the multiple reboots highly visible.

This raised concerns about encryption and whether users need to suspend BitLocker during the process. Scott Shell clarified that you do not need to suspend BitLocker. The update process is fully BitLocker-aware, automatically resealing keys for BitLocker and Virtual Secure Mode (VSM). This ensures features like Windows Hello remain protected across reboots without locking you out. However, firmware updates deployed via Windows Update that change the Platform Key (PK) or Key Exchange Key (KEK) can alter the BitLocker key ceiling. While they should not ask for the recovery key, complex enterprise environments might occasionally trigger the sensor.

Because of these firmware variables, administrators might consider blanketly applying the “Enable Secure Boot Certificate Updates” policy across a fleet. Microsoft strongly advises against this. Since Microsoft cannot test every motherboard variation, blanket deployments risk breaking productivity. IT admins should test a subset of their specific hardware models before force-enabling the policy.

Enterprise deployment requires careful PXE and Boot Manager planning

For enterprises managing thousands of devices via Microsoft Endpoint Configuration Manager (SCCM), Preboot Execution Environment (PXE) boot scenarios are critical. One systems administrator noted that their PXE boot stopped working after revoking the 2011 certificate because their boot.wim file did not contain the new 2023 cert. Scott Shell explained a fundamental limitation of the PXE protocol: it can only offer one Boot Manager to a client device. Therefore, side-by-side boot managers in a single boot.wim will not work. Microsoft has not yet updated the default boot.wim to the 2023 certificate because doing so prematurely would break network booting for PCs that have not updated their firmware. Once your fleet is fully updated, you can use DISM tools to manually mount your boot.wim and replace the Boot Manager ahead of Microsoft’s official schedule.

Another technical question addressed firmware rollback. Microsoft confirmed that updating the firmware SVN (Security Version Number) only involves adding SVNs to the DBX. For testing, resetting the DBX is enough to cancel rollback prevention. The SVN prevents a system from rolling back to an older, vulnerable boot manager. Newer boot managers signed with the 2023 certificate check their own revocation using this SVN. To truly protect a system, the 2011 certificate must be removed or revoked via the DBX. For testing, clearing the DBX removes that rollback prevention, allowing older boot managers to run again. Additionally, Microsoft relaxed the strict check for its “Owner GUID” on signatures, a change necessary to prevent breaking BitLocker on heavily customized enterprise machines.

How to check if Secure Boot certificates are up to date

Monitoring who has the update and who does not is a massive undertaking. The Windows 11 April Update now reveals if the Secure Boot 2023 certificate is applied to your PC. Go to Windows Security > Device Security, and scroll to find the “Secure Boot” section. A green check means you are good to go. If you see a yellow or red alert, follow the instructions in the Windows Security app.

For enterprises, Microsoft provides dedicated PowerShell scripts on their aka.ms/GetSecureBoot IT Pro portal. Additionally, the system logs detailed activity in the Event Viewer under the TPM WMI event source. You can use standard monitoring software to scrape these logs and build custom dashboards.

One user using Intune reported an error: Event ID 1801 saying certificates are available but not applied, with a BucketConfidenceLevel showing “Need more data.” This means the system has downloaded the certificates, but the telemetry bucket for that hardware model has not reached the required confidence threshold to trigger automatic installation. If you see this on a large portion of your fleet, manually test one device. If successful, you can override the confidence bucket and force deployment via registry keys. Event ID 1801 can also simply mean the machine is waiting for a reboot to seal BitLocker.

Microsoft uses CFRs to slowly test hardware. Once a specific motherboard model proves stable, it is added to the “high confidence” bucket and pushed broadly via LCU. If you depend only on LCUs, the timeline will be slower, but it is accelerating as Microsoft gathers more telemetry. If you are running a highly custom or rare machine, turning on diagnostic data is the only way Microsoft will know your PC safely survived the update.

Windows Server and Hyper-V require specific manual interventions

While client PCs are highly connected and generate massive telemetry, servers are usually isolated. Virtualization introduces its own quirks. Some administrators noticed devices running on Hyper-V with the March 2026 updates applied, showing inconsistent statuses. Arden White explained that this relates to a legacy registry key. There was a known bug in Hyper-V regarding updating the Key Exchange Key (KEK) on long-running virtual machines. Microsoft issued a two-part fix: apply the March updates to the Hyper-V Host server to enable KEK updates, and apply the updates to the Guest VM so it possesses the Hyper-V PK-signed KEK to apply. If you only update one side, the update will stall.

For newer server operating systems, Server 2025 does not automatically comply with fresh installs or upgrades from Server 2022. Server 2025 shares the same compliance database as Server 2022. Importantly, Windows Server does not participate in the automated Controlled Feature Rollout (CFR) program used by consumer Windows 11 PCs. Because servers are mission-critical, Microsoft requires server administrators to take manual action to apply the certificates using specific PowerShell commands.

Ignoring the update will permanently degrade your system security after June 2026

Given the headaches, many users wonder if their devices will continue to boot if they ignore the update. Your PC will not become a paperweight. However, it will run in a permanently degraded security state. Without the 2023 DB certificate, your PC will be physically incapable of running the newest Windows Boot Manager. Therefore, Microsoft will stop sending security updates for boot-critical binaries. Your system will also be unable to download new DBX revocation lists, leaving you permanently exposed to future bootkit malware.

This lack of updates will impact feature releases as well. Microsoft confirmed that future full-OS upgrades will eventually require the EFI partition to be signed with the 2023 certificate, although the upcoming Windows 11 26H2 will still install normally. If your device lacks the certificates, the Windows installer will intentionally fail the upgrade process to prevent an unbootable state. Windows 11 will now warn users before they hit these upgrade blockers.

It is absolutely critical that your system boots trusting the 2023 certificate instead of the 2011 certificate before the expiration deadline. Microsoft stated that Windows 11 gets Secure Boot Allowed Key Exchange Key (KEK) updates on more PCs precisely because, come expiration day, Microsoft will no longer possess the cryptographic authority to sign any new updates using the 2011 KEK. If your system is not booting through the 2023 chain by then, you are permanently cut off from boot-level security patches.

Finally, looking toward the horizon, a user asked how long the 2023 certs will last. The root certificate that issues the new 2023 keys expires in 2038, granting them a little over a decade of life. However, Scott Shell noted a looming industry shift: the Post-Quantum cryptography mandate takes effect in 2030. While legacy hardware currently receiving the 2023 certificates will ride them out until the end of their usable life, new hardware manufactured in the 2030s will ship with entirely new Post-Quantum certificates. As we march toward June 2026, it is imperative to check if Windows 11 has applied the new Secure Boot 2023 certificates and ensure your fleet and your data remain secure against the next generation of threats.