If you own a Windows PC with hardware predating 2018, the impending expiration of Microsoft’s Secure Boot 2011 certificates on June 24 may have raised some questions about your device’s future. While most modern systems will seamlessly transition to the Secure Boot 2023 update via Windows Update, those on older hardware might find themselves in a different situation. For users of Windows 10 or those who installed Windows 11 on unsupported machines, understanding the implications of this transition is essential.
Your old PC will still boot. Nothing breaks on June 24
The most reassuring news is that the expiration of the Secure Boot 2011 certificates will not prevent your PC from booting. Microsoft has confirmed that devices will continue to start and operate normally, even if they do not receive the new certificates. Standard Windows updates will remain functional, and there will be no sudden shutdowns or error messages at startup.
However, the absence of the 2023 certificates means that your device will miss out on future boot-level security updates. This includes updates to the Windows Boot Manager and the Secure Boot databases, as well as mitigations for newly identified vulnerabilities. While the degradation of security updates will be gradual, it is crucial to be aware of the potential risks involved.
Why some PCs cannot get the Secure Boot update
OEM support has a cutoff
The rollout of the Secure Boot certificate update is contingent upon the device firmware’s ability to accept and store the new certificates. This process is heavily reliant on the compatibility work done by the PC manufacturer. For instance, Dell has publicly stated that it will not provide BIOS updates for platforms that have reached their End of Service Life before January 1, 2026. Consequently, devices like a 2019 Dell Inspiron may never receive the necessary BIOS updates to accept the 2023 certificates.
Other major manufacturers, including HP, Lenovo, and ASUS, have similar cutoffs in place. Instances of firmware issues blocking updates or causing system errors have been documented, leaving devices without a path to receive the certificate update automatically.
Legacy BIOS and CSM mode
Older PCs, particularly those from the early UEFI era or those operating in Compatibility Support Module (CSM) mode, do not utilize UEFI Secure Boot. For these devices, the certificate update is irrelevant, as Secure Boot was never active. Windows may display a Secure Boot section in Windows Security, but if the system is running in Legacy BIOS mode, the update is unnecessary.
Windows 11 is installed on unsupported hardware
For users who installed Windows 11 on hardware that does not officially support it—often through registry bypass methods—Secure Boot may be disabled or improperly configured. For example, a Lenovo ThinkCentre mini-PC with a 6th-generation Intel CPU may run Windows 11 smoothly, but the Secure Boot section may be absent from Windows Security due to missing TPM 2.0 or disabled Secure Boot.
Microsoft has confirmed that the update process intelligently skips devices that do not have Secure Boot enabled, ensuring that attempts to update would not inadvertently disrupt their operation.
What is the real security risk if you don’t receive 2023 Secure Boot updates?
Without the 2023 certificates, your PC will be unable to receive future revocation updates to the Secure Boot DBX (Forbidden Signature Database). This database contains a list of compromised or vulnerable bootloaders. If Microsoft identifies a specific bootloader version being exploited, it adds it to the DBX and distributes that revocation through Windows Update. Devices limited to the 2011 KEK certificate can only process updates signed with that key, which will expire on June 24, 2026.
While the risk of bootkit attacks is more theoretical for most home users, it is a concern that could escalate over time as new vulnerabilities are discovered. Businesses, however, must take these risks seriously due to compliance requirements that necessitate active security updates across all devices.
What you should do if you are not getting Secure Boot updates (depending on your situation)
If you’re on Windows 10 with a supported OEM
Windows 10 users enrolled in the Extended Security Updates (ESU) program will receive the same Secure Boot certificate update as their Windows 11 counterparts. If your OEM has released a compatible BIOS update, the certificate update should arrive through regular Windows Update. Checking your status in the Windows Security app can provide clarity on your current situation.
If you’re on an older OEM PC with no BIOS update available
For those whose manufacturers have not published a BIOS update for the Secure Boot 2023 transition, options are limited. You can continue using your device, understanding that it will not receive future boot-level security updates. Alternatively, consider upgrading your hardware or exploring community-supported BIOS updates, though caution is advised.
If you’re running Windows 11 on unsupported hardware
For users who installed Windows 11 on older hardware using a registry bypass, the Secure Boot 2023 update will not be available if Secure Boot is disabled. Options include staying on the current unsupported configuration, attempting to enable Secure Boot in UEFI, or upgrading to supported hardware.
How to check your current Secure Boot status
The simplest way to check your Secure Boot status is through the Windows Security app. Navigate to Device Security and locate the Secure Boot section. The April 2026 update introduced color-coded badges indicating the status of your Secure Boot certificates:
- Green: The 2023 certificates are applied.
- Yellow: The update is pending or requires additional data from Microsoft.
- Red: A specific issue, typically a firmware incompatibility, is blocking the update.
If the Secure Boot section is absent, your device may have Secure Boot disabled, be running in Legacy BIOS mode, or lack the necessary firmware support for the update. For a more detailed assessment, you can also check the “Secure Boot State” line in System Information (msinfo32).
Your old PC will continue working even without Secure Boot 2023 updates
For most users with older hardware, the transition to Secure Boot 2023 represents a security gap rather than an immediate crisis. Your PC will continue to function, and regular Windows updates will persist. However, the inability to address boot-level threats discovered after the expiration of the 2011 certificate will leave your device vulnerable.
For businesses, the stakes are higher. Compliance mandates often require active security updates at every layer, making the lack of DBX revocations a significant concern. Microsoft has provided resources and guidance for IT administrators navigating this transition, emphasizing the importance of documenting exceptions and planning for hardware replacements where necessary.
To determine if a BIOS update is available for your older PC, manufacturers like Dell, HP, Lenovo, and ASUS have dedicated support pages for the Secure Boot 2023 transition, accessible through Microsoft’s official resources.
