What Happens to Your Old PC with the Expiration of Microsoft’s Secure Boot 2011 Certificates?

With Microsoft’s Secure Boot 2011 certificates expiring on June 24, many users of older hardware, particularly devices from before 2018, are left wondering about the implications. While most modern PCs have already received the Secure Boot 2023 update via Windows Update, there is a significant portion of devices where this update will never arrive. This article explains what this means for your PC, your security, and the steps you might consider taking.

Your Old PC Will Still Boot After June 24

The expiration of the Secure Boot 2011 certificates does not mean your PC will stop functioning. Microsoft has confirmed that devices missing the new certificates will continue to boot and operate normally. According to Microsoft’s official support page:

"If your device reaches the expiration date without the new certificates, it will still start and operate normally. Standard Windows updates will continue to install."

However, the expiration does affect your device’s ability to receive future boot-level security updates. Without the 2023 certificates, your PC will no longer receive updates for Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for new boot-level vulnerabilities. This degradation is gradual rather than immediate, and no sudden shutdowns or error messages will occur.

Why Some PCs Cannot Get the Secure Boot Update

The Secure Boot 2023 update is not universally applicable via Windows Update. It requires firmware compatibility, which is dependent on updates provided by the PC manufacturer. For example, Dell has stated that devices with an End of Service Life before January 1, 2026, will not receive BIOS updates supporting the new certificates. Similarly, other manufacturers like HP, Lenovo, and ASUS have set similar cutoffs for BIOS support.

Older PCs, especially those from the early UEFI era or running in Compatibility Support Module (CSM) mode, do not use UEFI Secure Boot at all. For these devices, the certificate update is irrelevant. Additionally, devices running bypassed Windows 11 installations (e.g., disabling TPM 2.0 and CPU checks) often show no Secure Boot status or errors in the Windows Security app, as Secure Boot is either disabled or misconfigured in the firmware.

The Real Security Risk of Missing 2023 Secure Boot Updates

Without the 2023 certificates, your PC will not receive updates to the Secure Boot DBX (Forbidden Signature Database), which lists compromised or vulnerable bootloaders. For instance, the BlackLotus UEFI bootkit exploited older Windows bootloaders to bypass Secure Boot. Devices without the 2023 certificates will remain vulnerable to such threats, as they cannot process new DBX updates signed with the 2023 key.

For most home users, this risk remains largely theoretical since bootkit attacks are complex and usually target enterprises, governments, or high-value individuals. However, the risk will increase over time as more vulnerabilities are discovered.

Steps to Take If You Are Not Receiving Secure Boot Updates

Depending on your situation, there are several actions to consider:

1. Windows 10 Users: If your PC is enrolled in the Extended Security Updates (ESU) program, it will receive the Secure Boot 2023 certificates through Windows Update. Verify your Secure Boot status in the Windows Security app (available from the May 2026 update, KB5087544).
2. Unsupported PCs: Devices without OEM-provided BIOS updates or those running bypassed Windows 11 installations will not receive the update. Options include:
   • Continuing to use the device with its current configuration, understanding the security risks.
   • Enabling Secure Boot in UEFI, if supported, for bypassed systems.
   • Upgrading to newer hardware.
3. Enterprise Users: Businesses need to address compliance requirements. Options include documenting exceptions, implementing compensating controls, or replacing outdated hardware.

How to Check Your Current Secure Boot Status

To check your Secure Boot status:

1. Windows Security App: Open the app, navigate to Device Security, and look for the Secure Boot section. Since April 2026, the app displays a badge system:
   • Green: The 2023 certificates are applied.
   • Yellow: The update is pending.
   • Red: A firmware incompatibility is blocking the update.
2. System Information Tool: Open msinfo32 and check the “Secure Boot State” under System Summary. It will report On, Off, or Unsupported.

For a deeper inspection, Microsoft provides diagnostic tools and scripts at aka.ms/GetSecureBoot.

Your PC Will Continue Running Even Without the Update

For most users on older hardware, missing the Secure Boot 2023 update poses a security gap but does not affect the daily operation of the PC. Regular Windows updates will still arrive, and the device will continue functioning. However, businesses with compliance requirements and endpoint security obligations should treat this as a priority issue and plan accordingly.

If you want to explore BIOS updates or additional resources, visit your manufacturer’s Secure Boot transition support page or Microsoft’s official resource linked above.

Windows Latest appreciates your support. Consider making us your preferred source on Google Discover and Search to help spread independent reporting.