ZDNET warns Secure Boot certificate expires June

ZDNET reported on May 19 that Windows users should check whether their PCs are ready for Microsoft’s Secure Boot certificate rollover before the first 2011-era certificates begin expiring in June 2026. Microsoft has said the certificates embedded across Windows-era firmware and boot trust chains are being replaced with newer 2023 certificates as part of a long-planned refresh of the boot security system. The issue reaches beyond consumer laptops because Microsoft says affected systems include physical and virtual machines on supported Windows releases dating back to Windows 10, Windows 11 and multiple Windows Server versions. Some Linux distributions are also involved because they rely on Microsoft-signed boot components to work with UEFI Secure Boot. ### Which certificate is expiring, and when? Microsoft said in support guidance and a Windows IT Pro blog post that the original Secure Boot certificates issued in 2011 begin expiring in June 2026. Red Hat’s developer guidance gives a specific date for one of the key milestones, saying Microsoft’s 2011 Secure Boot signing certificate is scheduled to expire on June 26, 2026. Microsoft has framed the change as a refresh of the cryptographic trust used during startup, before the operating system fully loads. (zdnet.com) Secure Boot is a UEFI firmware feature that checks digital signatures on boot software against trusted certificates stored in firmware. Microsoft says those certificates are part of the chain that validates firmware modules, boot loaders and related startup components. ### Will an unpatched Windows PC stop booting in June? (support.microsoft.com) Microsoft said devices that have not received the newer 2023 certificates will “continue to start and operate normally,” and standard Windows updates will still install. The company also said those devices will no longer be able to receive new protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists and mitigations for newly discovered boot-level vulnerabilities. (support.microsoft.com) Dell used similar language in a support note, saying that once the older certificates expire, affected machines can lose the ability to get updates for Windows Boot Manager and Secure Boot components. Microsoft’s public guidance says the way to receive timely certificate updates on supported Windows systems is to allow Microsoft-managed Windows updates and to keep OEM firmware current. (support.microsoft.com) ### Why are Linux systems part of this story? Microsoft said in its Windows IT Pro guidance that Linux systems dual-booting with Windows will rely on the certificate updates Windows installs. Red Hat said existing RHEL systems that boot successfully now will continue to boot after June 26, 2026, because the expiration affects signing of new boot components rather than already trusted ones. (dell.com) SUSE described a narrower risk around future shim updates, saying shims signed with the new key will require updated certificates in firmware. The fwupd project said Linux machines will not suddenly stop booting when the certificate expires, but warned that future newly signed shim binaries may not boot on systems that never received the new certificate in their Secure Boot database. (techcommunity.microsoft.com) ### What are users supposed to check right now? ZDNET said users should check firmware status, Secure Boot certificate status and vendor guidance before the June deadline. Microsoft has published a Secure Boot playbook and a landing page at aka.ms/GetSecureBoot, and Microsoft Learn says users should update Windows devices with 2023 certificates before the June 2026 expiration. ASUS told customers in an April support note to ensure systems with Secure Boot enabled are updated to the 2023 Microsoft certificates before mid-2026. (support.scc.suse.com) Dell said it has been adding the 2023 certificate through BIOS updates and recommends customers keep BIOS versions current; Dell also said some driver pages now explicitly note when a BIOS contains the new 2023 Secure Boot certificates. ### Where does Microsoft say the rollout stands? (zdnet.com) Microsoft said in November 2025 that the first tools and steps were available to proactively update Secure Boot certificates ahead of the June 2026 expiration window. The company also published an IT admin guide describing new status indicators in the Windows Security app and says comprehensive guidance remains available through its Secure Boot playbook and the GetSecureBoot page. (asus.com) May 19 is now less than six weeks from June 26, 2026, the date Red Hat cites for the 2011 certificate expiration. Microsoft, OEM support pages and Linux vendors are continuing to publish readiness guidance, and Microsoft’s current public instruction is for users and administrators to verify certificate status, apply firmware updates where available and follow vendor-specific Secure Boot guidance before that date. (developers.redhat.com) (techcommunity.microsoft.com)