The cryptographic keys that secure the boot sequence on millions of Windows and Linux computers will begin expiring on June 24, creating a looming deadline for system administrators and individual users who rely on UEFI Secure Boot to prevent rootkits and boot-level malware.
The expiring keys are part of the platform binary database maintained by Microsoft’s Secure Boot infrastructure. When Secure Boot is enabled, the firmware checks that every component loaded during startup, from bootloaders to drivers to the operating system kernel, carries a valid digital signature. Keys that have expired cause verification failures, potentially preventing systems from booting or forcing them into an insecure fallback mode.
Secure Boot has been a standard feature in Windows PCs since Windows 8 and in most Linux distributions that support UEFI. Microsoft acts as a central certificate authority for the ecosystem. When boot-signing keys expire, systems that have not installed updated certificates may refuse to load signed boot components, leading to startup failures on machines with Secure Boot enforced.
For most consumer Windows users, automatic updates through Windows Update should deploy the new certificates before the deadline. The risk is highest for systems that are offline, running outdated operating systems, or using custom boot configurations, including many dual-boot Windows and Linux setups and older enterprise deployments.
Linux distributions that rely on Microsoft’s key-signing service for bootloader certificates, including most major distributions that offer Secure Boot compatibility, are also affected. Users running custom kernels or self-signed bootloaders may need to manually update their certificate databases in the UEFI firmware settings.
A recurring challenge
This is not the first Secure Boot certificate expiry. Microsoft has previously extended or updated its signing certificates as hardware and firmware evolved. However, each expiry creates a brief window of confusion as organizations scramble to update images, test compatibility, and deploy updates across fleets of machines before mission-critical systems fail to start.
The June 24 deadline applies specifically to keys in the Microsoft third-party UEFI certificate database, which covers bootloaders signed on behalf of operating system vendors, hardware manufacturers, and tool developers. Systems that fail to receive the updated certificates before the deadline will require manual firmware updates or temporary Secure Boot disablement to regain normal operation.
Sources: A Critical Deadline Is Approaching for Windows and Linux Security (Wired/Ars Technica, June 21, 2026).