Microsoft’s latest announcement carries a ticking clock for both Windows and Linux users: the company’s Secure Boot certificates, first issued in 2011, will reach the end of their life in June 2026. If the keys are not refreshed before the deadline, devices that rely on them could fail to start or lose the ability to receive future firmware‑level security patches.

Secure Boot, a cornerstone of the Unified Extensible Firmware Interface (UEFI), validates boot software by checking its digital signature against a chain of certificates. That chain includes a Platform Key (PK), a Key Exchange Key (KEK), and two databases of signatures—allowed (DB) and disallowed (DBX). On most Windows‑based PCs, Microsoft’s 2011 certificates are baked into the KEK and DB chains, giving the operating system vendor control over what can run before the kernel loads.

To keep the chain alive, Microsoft is rolling out a new set of 2023 certificates that will replace the old ones. The update ships through Windows 10 and Windows 11 cumulative releases, such as KB5089573, and is designed to install automatically. However, older machines that lack the latest firmware or those that have disabled automatic updates may need to install the new keys manually.

Linux users are not immune. Many distributions use a small UEFI bootloader called a shim to bridge the Secure Boot chain to the Linux kernel. The shim must be signed with a certificate that the firmware trusts. When Microsoft’s certificates expire, the shim will no longer be accepted unless it is updated to match the new keys. Several distributions have already begun synchronizing their shim updates with Microsoft’s key rollover. In practice, a missing shim update can block a Linux boot, or even prevent a Windows boot if the Windows boot manager is affected.

Some commentators have dubbed the expiration a “Microsoft kill switch” because it gives Microsoft a degree of control over the boot process on a large swath of devices. In reality, the change is a routine certificate renewal driven by the finite lifetimes of X.509 certificates. The UEFI specification itself is governed by the UEFI Forum, but the firmware that ships on PCs is proprietary and typically updated by the OEM or the operating‑system vendor. Microsoft’s announcement does not introduce new security features; it is a non‑security update that includes quality improvements and the replacement of expiring certificates.

If the rollover is missed, devices may lose the ability to receive future Secure Boot updates that protect against boot‑level vulnerabilities. A missing KEK could also block the installation of new operating‑system updates that rely on Secure Boot validation. Microsoft’s support pages warn that after the 2011 certificates expire, Microsoft‑signed updates that protect the pre‑OS environment can no longer be accepted by the old trust anchors. Consequently, any boot‑level threat discovered after the expiration could leave affected systems without a mechanism to receive a fix.

In the short term, Windows and Linux users should verify that their systems have applied the latest firmware and operating‑system updates. Linux users, in particular, should confirm that their distribution’s shim package is current and consider keeping a bootable Linux live USB as a recovery option, as it can bypass Windows malware that targets the operating system. Microsoft’s next steps involve continuing the rollout of the 2023 certificates, while OEMs push firmware updates that incorporate the new keys. The situation remains unresolved until all affected devices have updated their Secure Boot keys.