Story · arstechnica + bluesky + websearch · 5 events
Three Microsoft-signed Secure Boot certificates expire June 24, breaking trust for Windows and Linux. Bootkits like LoJax could then survive OS reinstall. Audit firmware updates now.
Windows and Linux users: The deadline to update Secure Boot keys is ...
Windows and Linux users: The deadline to update Secure Boot keys is ...
Text
settings
Story text
Size
Small
Standard
Large
Width
*
Standard
Wide
Links
Standard
Orange
* Subscribers only
Learn more
Minimize to nav
The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.
Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all code that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on.
Secure Boot is designed to thwart bootkits, a form of malware that alters the systems responsible for loading firmware and software during the initial boot sequence. Because bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they…
Microsoft reveals what happens to Windows 11 PCs if you ignore the ...
Microsoft reveals what happens to Windows 11 PCs if you ignore the ...
Home
Microsoft
Microsoft
The clock is ticking on one of the most fundamental security architectures inside your PC. In June 2026, the original Secure Boot certificates that have governed Windows hardware since 2011 will officially expire. To prevent millions of PCs from suddenly becoming vulnerable or failing to boot altogether, Microsoft is in the midst of a monumental, multi-year rollout of the new 2023 Secure Boot certificates.
Because this transition directly manipulates the UEFI firmware on your motherboard, it is a highly delicate process. To clear up the confusion, Microsoft recently hosted a detailed “Ask Microsoft Anything” (AMA) session in March 2026 featuring Principal Security Engineer
Arden White
, Principal Software Architect
Scott Shell
, and Group Engineering Manager
Richard Powell
.
I watched the full AMA, along with additional research to understand the full context, as it contains critical insights into how the update works, what happens if you ignore it, and how enterprises should handle edge cases. I have compiled, organized, and analyzed every single question and answer from that session, …
Secure Boot 2011 KEK CA Expiration: June 2026 Migration Risks for ...
Secure Boot 2011 KEK CA Expiration: June 2026 Migration Risks for ...
Microsoft’s 2011 Secure Boot certificate family begins expiring in June 2026, and the most consequential deadline is the Microsoft Corporation KEK CA 2011, whose replacement determines whether affected Windows devices can keep receiving future Secure Boot database and revocation updates. The unsettling part is that most machines will not fail loudly. They will keep booting, keep passing casual health checks, and still drift into a weaker security posture if the trust plumbing is not refreshed in time. That makes this less like a dramatic “PCs won’t start” event and more like the sort of infrastructure debt that punishes organizations months later, when a boot-level vulnerability needs revoking and the revocation never arrives.
The Real Deadline Is Not the One Users Will Notice
Secure Boot has always been marketed as a simple promise: the PC should start only code that the firmware trusts. Underneath that slogan is a small hierarchy of UEFI variables, certificates, and signature databases that decide which bootloaders, option ROMs, and pre-OS components are allowed to run before Windows, Linux, or a hypervisor t…
Windows and Linux users: The deadline to update Secure Boot keys is near
Windows and Linux users: The deadline to update Secure Boot keys is near
What you need to know about the expiration of keys securing your machine's boot sequence.
Corroboration
No verdict, no pronouncement. The model extracts atomic factual claims with verbatim quotes; every quote is validated against the source text and corroboration is computed by counting how many editorially-opposed blocs assert each fact. 2 fabricated/unverifiable quotes were rejected by the cite-or-die gate.
The spine · 4 facts corroborated across ≥2 opposed blocs
2×cross-perspective · 2Windows and Linux users are affected by the expiration of these Secure Boot certificates.
othertech
bluesky“Three Microsoft-signed Secure Boot certificates expire June 24, breaking trust for Windows and Linux.”
arstechnica“Windows and Linux users: The deadline to update Secure Boot keys is near”
arstechnica.com“The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.”
whowhatwhy.org“The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.”
1×cross-perspective · 2Three Microsoft-signed Secure Boot certificates expire on June 24.
other
bluesky“Three Microsoft-signed Secure Boot certificates expire June 24, breaking trust for Windows and Linux.”
arstechnica.com“Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire.”
whowhatwhy.org“Beginning June 24, three certificates that verify that each piece of firmware and software that loads during system boot will expire.”
1×cross-perspective · 2The expired Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust.
other
arstechnica.com“The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust.”
whowhatwhy.org“The certificates are the linchpins Secure Boot, a Microsoft-designed chain of trust.”
1×cross-perspective · 2UEFI bootkits are a form of malware that loads before the operating system and anti-malware protections start.
other
arstechnica.com“The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.”
whowhatwhy.org“The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.”
Single-source · 2 — reported by one bloc only (uncorroborated)
Secure Boot checks the digital signatures of all firmware and software that loads during system startup to ensure it originates from a trusted provider.
arstechnica.com
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface.
arstechnica.com
Framing · 4 — loaded language surfaced (spin shown, not adopted)
bluesky
“breaking trust for Windows and Linux. Bootkits like LoJax could then survive OS reinstall. Audit firmware updates now.”
→ The expiration of certificates breaks trust for Windows and Linux systems; bootkits like LoJax could survive OS reinstall; firmware updates should be audited.
arstechnica.com
“a pernicious form of malware that loads before operating system and anti-malware protections start.”
→ UEFI infections are a form of malware that loads before operating system and anti-malware protections start.
whowhatwhy.org
“a pernicious form of malware that loads before operating system and anti-malware protections start.”
→ UEFI infections are a form of malware that loads before operating system and anti-malware protections start.
techspot.com
“Installing Windows 11 on a PC that doesn't meet minimum system requirements isn't recommended. Such PCs won't be supported, may not receive updates, and may experience compatibility issues.”
→ Installing Windows 11 on non-compliant PCs is not recommended; such PCs may not receive updates or function properly.