Microsoft Explains What Happens if PCs Miss June 2026 Secure Boot Deadline

Microsoft is preparing Windows PCs for a Secure Boot certificate transition ahead of a June 2026 deadline, as older certificates near expiration.

The company is rolling out newer 2023 Secure Boot certificates to keep boot-level protection working properly on supported devices. Many users have noticed a new SecureBoot folder on their PCs as part of this update process.

PCs will still boot if users do nothing

Microsoft’s certificate deadline does not mean affected PCs will suddenly stop working, as Windows Latest writes. However, ignoring the update could weaken boot-level security over time.

Systems that continue relying on older Secure Boot certificates may stop receiving boot-critical security updates. They may also miss newer DBX revocation list updates, which help block known vulnerable boot components and bootkit threats.

Older PCs may behave differently

Legacy BIOS systems are skipped because they do not support Secure Boot. Devices using Compatibility Support Module, or CSM, may still receive the update if they can use UEFI Secure Boot.

Microsoft also blocks the update when Secure Boot is disabled in BIOS. This prevents the certificate process from creating firmware-related problems on systems not actively using Secure Boot.

Multiple reboots may be required

The update may require several restarts. Microsoft says this behavior is expected because the certificates must be staged, applied by firmware, and then used by the updated bootloader.

Users do not need to manually suspend BitLocker. The update process should automatically reseal BitLocker and Virtual Secure Mode keys.

Microsoft warns enterprises to test first

Microsoft advises IT admins not to force Secure Boot certificate updates across entire fleets without testing. Firmware differences across PC models can cause failures or unexpected behavior.

PXE deployment also has limits. A PXE boot setup can provide only one Boot Manager to a client device, so organizations cannot simply keep 2011 and 2023 Boot Managers side by side in one boot.wim file.

After a fleet completes the transition, admins can update boot.wim manually using DISM.

How users and admins can check status

Regular users can check Secure Boot status through Windows Security. Enterprise admins can use Microsoft’s PowerShell scripts to monitor certificate status across fleets.

Admins can also review Event Viewer logs under the TPM WMI source. Intune users may see Event ID 1801 when certificates are available but have not yet been applied.

Server and Hyper-V updates need extra care

Windows Server does not follow the same automatic rollout model as consumer Windows 11 PCs. Server admins must apply the new certificates manually.

Hyper-V setups may also need updates on both the host and guest virtual machines before Secure Boot certificate changes apply correctly.

Future Windows upgrades may depend on the change

Windows 11 26H2 is expected to install normally for now. However, future full Windows upgrades may eventually require the EFI partition to use the 2023 certificate chain.

The 2023 Secure Boot certificates are expected to last until 2038. Microsoft’s immediate goal is to prepare existing Windows PCs before the June 2026 certificate expiration window.