Updated
Updated · ZDNet · Jun 25
Microsoft Replaces 4 Expiring Secure Boot Certificates as 2011 Keys Start Lapsing
Updated
Updated · ZDNet · Jun 25

Microsoft Replaces 4 Expiring Secure Boot Certificates as 2011 Keys Start Lapsing

3 articles · Updated · ZDNet · Jun 25

Summary

  • June 24 marked the first expiration of Microsoft's 2011 Secure Boot certificates, starting a 2026 rollover that affects Windows PCs' ability to validate future boot-chain updates.
  • Without the new 2023 certificates, PCs should still boot normally but can miss security fixes for Windows Boot Manager, Secure Boot databases and revocation lists, weakening pre-boot protection.
  • Most supported Windows 11 systems — and Windows 10 PCs with Extended Security Updates — are expected to receive the certificates automatically, though some machines also need OEM firmware updates.
  • Windows now lets users verify status in the Windows Security app; PCs built since 2025 generally already include the 2023 certificates, while older self-built, Linux-only and specialty devices may need manual action.
  • The expiring set covers four certificates from 2011, with additional deadlines on June 27 and Oct. 19, while the replacements extend trust mostly into 2035 and 2038.

Insights

With Microsoft's old keys now expiring, what happens to Linux users whose PC vendors have abandoned firmware support?
Is the Linux 'Secure Boot' crisis a technical hurdle or a fundamental flaw in relying on Microsoft's keys?