The big picture: The Secure Boot certificates Microsoft originally issued in 2011 for Windows devices are set to expire next month. The company is currently rolling out new Secure Boot keys to eligible devices and has warned that PCs not updated with the latest firmware could become vulnerable to malware and boot-level threats.

In an Ask Microsoft Anything livestream on YouTube, Microsoft Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Group Engineering Manager Richard Powell answered a range of questions about Secure Boot, including its importance for Windows devices, how to update to the latest version, and what could happen if users fail to do so.
Secure Boot is a Windows security feature designed to protect PCs by preventing malware from loading during the boot process. It establishes a "chain of trust" by verifying the digital signatures of all boot software, including UEFI firmware drivers, EFI applications, and the operating system itself. This ensures that the device boots only with software and services trusted by the PC manufacturer.
With the older 2011 Secure Boot certificates set to expire next month, Microsoft engineers revealed that the company has begun rolling out the new UEFI CA 2023 certificates to all supported devices via Windows Update. They added that all Windows 11 devices manufactured since 2024 are either shipping with the new certificates or have already received the update.
Windows users with older devices can check compatibility in the Windows Security app. According to Microsoft, all supported devices will automatically receive the new keys, though some systems may require additional firmware updates from their respective OEMs.
The trio confirmed that devices that have not yet updated to the new certificates will continue to operate normally and receive standard security updates. However, they will not be able to support newer security protections for the early boot process, potentially leaving them more vulnerable to bootkits, firmware rootkits, and boot-sector viruses.
It is worth noting that older devices using legacy BIOS firmware are physically incompatible with Secure Boot, so Windows will skip the update entirely. However, if a PC uses the Compatibility Support Module to emulate legacy BIOS while still running modern UEFI firmware compatible with Secure Boot, it will still receive the update normally.
Windows Secure Boot certificates set to expire in June – here's what it means for your PC