Any impact if Secure Boot is on but Secure Boot Cert expired?

• Hello License Admin, I am Henry and I want to provide my thought about your concer.

In short: Yes, there is a significant impact, but it usually won't stop your computer from booting immediately.

If a Secure Boot certificate (specifically the Microsoft 2011 CA) expires—which begins happening in June 2026—your workstation will experience the following:

First, the workstation will continue to boot and run Windows normally, but it enters a "degraded" security state. Because the certificate is expired, the system can no longer verify or install new security updates for the early boot process.

You will stop receiving updates for:

• Windows Boot Manager: Critical fixes for the very first files that load Windows will fail to install.
• Revocation Lists (DBX): Secure Boot relies on a "blacklist" of compromised files. If the certificate is expired, your PC cannot update this list, leaving it vulnerable to known boot-level malware (bootkits).

While the current OS will boot, you may run into "Access Denied" or "Signature Invalid" errors in the future if:

• An update tries to install a new bootloader signed with the new 2023 certificates that your firmware doesn't yet recognize.
• You try to boot from a newer USB recovery drive or Linux distribution signed with the newer keys.

Standard Windows Updates will continue to install for the OS, but specific "Secure Boot" or "UEFI" updates will likely fail with errors (such as Event ID 1801 in the System logs), indicating the firmware couldn't be updated.

Here is the Key Difference between Expiration vs. Revocation

• Expiration (June 2026): The system usually keeps trusting the "old" files it already has, so it still boots. It just can't "trust" anything new.
• Revocation: If Microsoft eventually "revokes" the old 2011 certificates (to force security), any system that hasn't moved to the new 2023 certificates will stop booting entirely.

I hope this information and these keywords help point you in the right direction for your research. Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too

If Secure Boot is enabled but the device has not received the new Secure Boot certificates and the existing ones expire, the workstation will still boot and operate, but its early‑boot security will be degraded.

Specifically, once the old Secure Boot certificates expire and the new 2023 certificates are not present:

• The device continues to start and run normally.
• Standard Windows updates continue to install, except for boot‑related security components that require the updated certificates.
• Everyday OS usage (apps, networking, browsing, most features) is unaffected.

However, there are important security impacts:

• The device can no longer receive new security protections for the early boot process.
• Updates to Windows Boot Manager, Secure Boot databases (DB/DBX), and revocation lists cannot be applied if they depend on the new certificates.
• Mitigations and fixes for newly discovered boot‑level vulnerabilities (for example, BitLocker bypass mitigations or Secure Boot revocations) will not be available.
• Scenarios that rely on Secure Boot trust, such as BitLocker hardening, boot‑level code integrity, and some third‑party bootloaders or Option ROMs, may be affected if they require updated Secure Boot trust.

To avoid this degraded protection, Secure Boot certificates should be updated well before the June 2026 expiration date, following Microsoft’s Secure Boot certificate update guidance and any required OEM firmware updates. Secure Boot should not be disabled to work around certificate expiration.

References:

• Windows Secure Boot certificate expiration and CA updates
• When Secure Boot certificates expire on Windows devices
• Frequently asked questions about the Secure Boot update process