Back to news
Cybersecurity Alert
June 22, 2026 by EmailMeNow IT Consulting

Secure Boot Certificates Expire June 24, 2026 — What Windows and Linux Users Must Do

Microsoft's 2011 Secure Boot signing certificates expire June 24–27, 2026. Systems without 2023 replacements keep booting but lose future UEFI protections. Independent audit scores microsoft.com at 73%.

Source: Microsoft Support / Red Hat

Secure BootUEFIWindowsLinuxFirmwareCybersecurity
Secure Boot UEFI certificate expiration advisory for Windows and Linux

Certificates for the cryptographic keys in the Secure Boot process on computers running Windows and Linux begin expiring June 24, 2026. Users must ensure their firmware databases include the 2023 replacement certificates in order to protect against attacks on UEFI (Unified Extensible Firmware Interface), including bootkits that operate below the operating system.

Read Microsoft’s guidance:
https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

What Is Expiring

The expiring certificates were issued in 2011. Microsoft created 2023 replacements after researchers disclosed LogoFail — a class of flaws that can exploit logo images displayed during startup to inject rogue certificates and bypass Secure Boot.

CertificateExpirationRole
Microsoft Corporation KEK CA 2011June 24, 2026Signs updates to Secure Boot databases (db/dbx)
Microsoft UEFI CA 2011June 27, 2026Signs third-party bootloaders (Linux shim, Option ROMs)
Windows Production PCA 2011October 19, 2026Signs Windows boot components

Expiration is not revocation. Machines that boot today will generally continue to boot after these dates. The risk is forward-looking: without the 2023 keys enrolled in firmware, systems cannot receive new boot-level security updates, revocation lists, or mitigations for newly discovered firmware vulnerabilities.

Windows Users

Users of Windows 11 and Windows 10 systems with extended security updates should receive the new certificates automatically through Windows Update. Microsoft will manage enrollment for many enterprise-managed devices.

If your device has not received the update:

  1. Install all pending Windows Updates and reboot.
  2. Verify Secure Boot remains enabled in firmware settings.
  3. For fleet-managed PCs, confirm your MDM/Intune policy allows firmware and DB updates.

Linux Users

Linux distributions that use shim to chain-load GRUB depend on the same Microsoft UEFI CA. Red Hat, Fedora, Ubuntu, and other vendors have shipped dual-signed shims (2011 + 2023 keys). After June 2026, new shim builds may be signed only with the 2023 certificate.

  1. Apply all distribution updates before the deadline.
  2. On supported hardware, run fwupdmgr update (LVFS) to enroll the 2023 certificate in firmware.
  3. On Windows/Linux dual-boot machines, letting Windows Update run can enroll keys into the shared firmware database.
  4. Do not manually delete 2011 certificates — legacy drivers and boot components may still require them.

Why Texas Organizations Should Care

City halls, ISDs, clinics, and law firms often run mixed Windows/Linux fleets and aging laptops that rarely receive OEM firmware updates. A machine that boots fine on June 25 can still become stuck when a critical shim or boot-manager patch requires the 2023 key that was never enrolled — a common pain point on legacy hardware called out in Red Hat’s guidance.

Secure Boot protects the chain from firmware through the bootloader. Without current certificates, bootkits and LogoFail-class attacks become harder to mitigate even when the OS itself is patched.

Priority Actions

  1. Inventory Secure Boot–enabled devices and last firmware update dates.
  2. Patch Windows and Linux before June 24; reboot to apply firmware DB updates.
  3. Flag legacy hardware with no vendor UEFI update path for replacement planning.
  4. Document boot-security procedures for incident response and SB 2610 programs.

Independent Cybersecurity Audit

We audited microsoft.com on June 22, 2026 as the vendor hub for this advisory:

Organization (Domain)OverallRisk Level
Microsoft (microsoft.com)73%Good

This score reflects email and transport security on Microsoft’s public domain — not whether your individual PC has enrolled the 2023 Secure Boot certificates. Use Windows Update or your Linux vendor’s shim update for that.

Audit link: microsoft.com audit


Protect your organization.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for patch-management documentation and SB 2610 support.


Sources: Microsoft — Secure Boot certificate expiration · Red Hat — 2026 Secure Boot guidance · EmailMeNow audit — microsoft.com