Secure Boot is a part of the UEFI firmware standard, which replaced the older BIOS model for modern PCs. It was added to UEFI in 2011 so only trusted, signed code could run during startup.
The thing is, Microsoft has not updated the certificates to Secure Boot since it was first introduced 15 years ago. Every PC manufactured since 2012 running Windows 10, Windows 11, or the last four versions of Windows Server (2016/2019/2022/2025) has been relying on certificates from 2011.
And starting on June 27 through October, those certificates begin expiring. When these certificates expire, desktops and servers keep working but the computer loses the ability to receive security updates for the boot process. For example:
- New protections for Windows Boot Manager won’t install.
- Updates to the Secure Boot database won’t apply.
- Revocation lists that block known malicious software won’t update.
- The system gradually loses the ability to defend itself.
For desktops, the solution is basically a Windows Update and a new UEFI firmware upgrade. Two updates do the trick. With Windows Server, the process is far more complex.
