Certificates for the cryptographic keys in the Secure Boot process on computers running Windows and Linux begin expiring June 24, 2026. Users must ensure their firmware databases include the 2023 replacement certificates in order to protect against attacks on UEFI (Unified Extensible Firmware Interface), including bootkits that operate below the operating system.
Read Microsoft’s guidance:
https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
What Is Expiring
The expiring certificates were issued in 2011. Microsoft created 2023 replacements after researchers disclosed LogoFail — a class of flaws that can exploit logo images displayed during startup to inject rogue certificates and bypass Secure Boot.
| Certificate | Expiration | Role |
|---|---|---|
| Microsoft Corporation KEK CA 2011 | June 24, 2026 | Signs updates to Secure Boot databases (db/dbx) |
| Microsoft UEFI CA 2011 | June 27, 2026 | Signs third-party bootloaders (Linux shim, Option ROMs) |
| Windows Production PCA 2011 | October 19, 2026 | Signs Windows boot components |
Expiration is not revocation. Machines that boot today will generally continue to boot after these dates. The risk is forward-looking: without the 2023 keys enrolled in firmware, systems cannot receive new boot-level security updates, revocation lists, or mitigations for newly discovered firmware vulnerabilities.
Windows Users
Users of Windows 11 and Windows 10 systems with extended security updates should receive the new certificates automatically through Windows Update. Microsoft will manage enrollment for many enterprise-managed devices.
If your device has not received the update:
- Install all pending Windows Updates and reboot.
- Verify Secure Boot remains enabled in firmware settings.
- For fleet-managed PCs, confirm your MDM/Intune policy allows firmware and DB updates.
Linux Users
Linux distributions that use shim to chain-load GRUB depend on the same Microsoft UEFI CA. Red Hat, Fedora, Ubuntu, and other vendors have shipped dual-signed shims (2011 + 2023 keys). After June 2026, new shim builds may be signed only with the 2023 certificate.
- Apply all distribution updates before the deadline.
- On supported hardware, run
fwupdmgr update(LVFS) to enroll the 2023 certificate in firmware. - On Windows/Linux dual-boot machines, letting Windows Update run can enroll keys into the shared firmware database.
- Do not manually delete 2011 certificates — legacy drivers and boot components may still require them.
Why Texas Organizations Should Care
City halls, ISDs, clinics, and law firms often run mixed Windows/Linux fleets and aging laptops that rarely receive OEM firmware updates. A machine that boots fine on June 25 can still become stuck when a critical shim or boot-manager patch requires the 2023 key that was never enrolled — a common pain point on legacy hardware called out in Red Hat’s guidance.
Secure Boot protects the chain from firmware through the bootloader. Without current certificates, bootkits and LogoFail-class attacks become harder to mitigate even when the OS itself is patched.
Priority Actions
- Inventory Secure Boot–enabled devices and last firmware update dates.
- Patch Windows and Linux before June 24; reboot to apply firmware DB updates.
- Flag legacy hardware with no vendor UEFI update path for replacement planning.
- Document boot-security procedures for incident response and SB 2610 programs.
Independent Cybersecurity Audit
We audited microsoft.com on June 22, 2026 as the vendor hub for this advisory:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| Microsoft (microsoft.com) | 73% | Good |
This score reflects email and transport security on Microsoft’s public domain — not whether your individual PC has enrolled the 2023 Secure Boot certificates. Use Windows Update or your Linux vendor’s shim update for that.
Audit link: microsoft.com audit
Related trackers
- NCSC Fortinet VPN alert
- Adobe May 2026 PSIRT patches
- Chrome 148 vulnerabilities
- Texas ISD ransomware tracker
- Monitoring guide
- All trackers
Protect your organization.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for patch-management documentation and SB 2610 support.
Sources: Microsoft — Secure Boot certificate expiration · Red Hat — 2026 Secure Boot guidance · EmailMeNow audit — microsoft.com