– The 2011 Secure Boot key expired on June 24, 2026, but PCs will not crash immediately.
– Without the migration to the 2023 keys, devices will stop receiving boot-level security patches and become vulnerable to firmware threats like BlackLotus.
– Most users will get the update automatically via Windows Update, but older motherboards may require a manual BIOS flash.
– The Microsoft UEFI CA 2011 certificate expires on June 27, 2026, adding urgency to this transition.
– Windows 11 machines that bypassed CPU or TPM requirements face higher failure rates during the update process.
Secure Boot Key Expiration Triggers Major Transition
The clock just ran out on a 15-year era of PC startup security. Today, June 24, 2026, Microsoft’s original 2011 Secure Boot key officially expired inside billions of motherboards. This expiration forces a massive, multi-stage firmware transition to a newer 2023 certificate chain, a move that will change how PCs validate trusted software before the operating system even loads. The new chain uses a stronger cryptographic root and larger key sizes for better protection.
No Immediate Crashes But Delayed Danger
Your computer will not crash today. PCs relying on the legacy 2011 keys still boot normally, and apps run without hitting major issues. Microsoft designed this deadline as a background infrastructure swap rather than an immediate kill-switch. This approach gives vendors and users a window to transition without disruption, but delays could lead to serious consequences later.
The danger builds later. If a machine misses the migration to the new 2023 keys, it loses the ability to process future boot-level security patches. Windows will stop updating the Windows Boot Manager, the Secure Boot databases, and the DBX revocation blacklists on these unpatched devices. That leaves the hardware defenseless against specialized, firmware-level threats like the BlackLotus bootkit, which infects systems long before any traditional antivirus software wakes up. Such attacks can bypass all standard protections once they embed themselves in the boot chain.
Automatic Fixes for Most Users
For most users, the fix lands silently through the monthly Windows Update pipeline. Windows simply replaces the old key with the updated Microsoft Corporation KEK 2K CA 2023 certificate. The clock is ticking on the next milestone too, since the Microsoft UEFI CA 2011 certificate expires in three days on June 27. Modern PCs built from 2024 onward already carry these newer keys from the factory, so they face no immediate changes.
Older Devices and Custom Rigs Face Issues
Older devices and custom rigs face issues. Certain aging motherboard architectures require a manual BIOS flash before they can support the larger cryptographic key sizes of the 2023 certificates. Technicians also report higher failure rates on Windows 11 machines that used workarounds to bypass CPU or TPM hardware checks. These systems may show errors during boot or fail to apply the new keys if not updated properly.
Users should check there system firmware settings to confirm Secure Boot is active, and if any warnings appear about certificate expiry, consult the motherboards support page for BIOS updates. For more information on how to check if your device is Secure Boot ready, there are guides available online covering the steps for different motherboards and BIOS versions.