Secure Boot key update deadline arrives June 24 for Windows and Linux
Original: Windows and Linux users: The deadline to update Secure Boot keys is near
Why This Matters
Critical firmware security deadline affects millions of Windows and Linux systems; outdated Secure Boot keys leave systems vulnerable to persistent bootkit attacks.
Microsoft-signed Secure Boot certificates expire June 24, 2026. Windows and Linux users must update cryptographic keys protecting against UEFI firmware infections. Three certificates securing boot sequences will expire, requiring immediate action to prevent bootkit attacks.
Beginning June 24, 2026, three Microsoft-signed certificates that form the foundation of Secure Boot will expire. Secure Boot is a Microsoft-designed chain of trust that verifies digital signatures of all code loading during system startup, ensuring code originates from trusted providers like motherboard manufacturers. The technology protects systems against bootkits—malware that loads before operating systems and anti-malware protections, making them difficult to detect and remove. Bootkits have a decades-long history, dating to early 1980s Apple II attacks. Windows bootkits emerged as research proofs of concept in the early 2000s, including BootRoot demonstrated at the 2005 Black Hat conference. Real-world UEFI attacks began in 2018 with LoJax malware, created by Kremlin-backed APT 28, which remotely installed firmware-level infections. A second real-world UEFI attack was discovered in 2020. Because bootkits load before the OS, they can persist through operating system reinstallation and reinfection, stealing credentials, installing backdoors, and executing malicious actions even after OS disinfection. The June 24 deadline requires immediate action from system administrators and users to update their Secure Boot certificates.