Microsoft's Original Secure Boot Certificates Expire, Threatening Billions of PCs and Linux Systems
Microsoft's foundational Secure Boot certificates have begun expiring as of June 24, 2026, affecting over a billion UEFI-capable devices and Linux distributions, with critical security update implications.
The clock has run out on the cryptographic trust that has anchored Windows and Linux boot security for over a decade. As of June 24, 2026, Microsoft's original Secure Boot certificate, the Microsoft Corporation KEK CA 2011, officially expired, with the Microsoft UEFI CA 2011 following on June 27, 2026, and the Windows Production PCA 2011 set to expire on October 19, 2026. These certificates have underpinned firmware-level boot trust on every UEFI-capable PC shipped since the Windows 8 era, encompassing more than a billion devices worldwide, including systems running Linux distributions.
Secure Boot relies on a layered key hierarchy stored in UEFI firmware: the Platform Key (PK) authorizes the Key Enrollment Key (KEK), which in turn signs updates to the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). At boot time, the firmware checks the bootloader's cryptographic signature against the DB; if it matches and is not revoked in DBX, the system proceeds. The four certificates that anchor this entire hierarchy are now at or approaching end of life, with replacement 2023 certificates valid through 2038.
The scope of the impact is enormous. Every computer manufactured with a UEFI-based motherboard spanning Windows 10, Windows 11, Windows Server 2012 through 2025, and any hardware released since approximately 2012 is potentially in scope. Devices shipped in 2025 or later, including Copilot+ PCs, typically arrive with the 2023 certificates pre-installed and require no action. However, older devices that fail to migrate will continue to boot and run existing software normally but will permanently lose the ability to receive future DBX revocation list updates, Windows Boot Manager security updates, and new Secure Boot DB updates. This means new bootkits and malicious bootloader variants will never be blacklisted at the firmware level, and the bootloader is frozen at its last 2011-signed version.
Linux distributions are equally exposed. Nearly every mainstream Linux distro—Ubuntu, Fedora, Debian, RHEL, and others—uses Microsoft's UEFI CA 2011 to sign the shim first-stage bootloader that enables those systems to boot with Secure Boot enabled. The Fedora Project confirmed that once the 2011 key expires, any new shim binaries will only be signed with the 2023 key. This means Linux installation media relying on a new shim signed with the 2023 key will fail to boot on machines whose firmware only contains the old 2011 certificates, a direct impact on bare-metal installs, server deployments, and VM templates across enterprise environments.
Microsoft's official guidance and OEM advisories make clear that remediation requires two sequential actions. First, an OEM firmware (BIOS/UEFI) update is needed for devices manufactured before 2024 to enable their UEFI to accept the 2023 certificates. Second, a Windows Certificate Update is delivered via Microsoft's monthly cumulative updates, requiring Windows 10 22H2+ with ESU enrollment or any supported Windows 11 build. For enterprise environments, Microsoft Intune's Settings Catalog and Windows Autopatch include a dedicated Secure Boot Certificate Update policy and built-in Secure Boot Status report.
For Linux systems, administrators must update both the shim package (via apt full-upgrade, dnf upgrade, or equivalent) and apply the OEM firmware update that enrolls the Microsoft UEFI CA 2023 certificate into the firmware DB. The fwupd version 2.0.10 or later is required for Linux Vendor Firmware Service (LVFS) delivery to function correctly. On Windows, navigating to Windows Security > Device Security > Secure Boot should show a green badge confirming "all certificates are applied" as the required indicator, not merely a green checkmark.
This expiration event is not a routine patch Tuesday but a permanent, structural change to the cryptographic trust chain that runs every time a device powers on. Threat actors exploiting bootkit-class malware operate precisely at this firmware level that Secure Boot's DBX revocation mechanism is designed to block. Without migration, devices accumulate compounding security debt with no clean remediation path back, leaving billions of systems vulnerable to boot-level attacks that can persist across OS reinstalls.