Secure Boot Key Expiration Is Coming – How to Update Windows and Linux Machines Today

Microsoft and major Linux vendors announced that the Secure Boot certificates created in 2011 will stop being trusted in June 2026. If your PC or server still relies on those old keys, you will still boot, but you will miss future boot-level security patches. This article shows exactly what to do on Windows and Linux, why the deadline matters, and which steps give the best protection.

What is Secure Boot and why do keys expire?

Secure Boot checks each piece of firmware and bootloader against a list of trusted signatures stored in the UEFI firmware. The signatures are signed by Certificate Authorities (CAs) that Microsoft or Linux distributors publish. Like any digital certificate, a CA key has a limited lifespan to limit the impact of a compromised key.

In 2021 Microsoft introduced a new CA (the 2023 certificates) to replace the 2011 set. Linux distributions followed a similar path, adding new shim keys in 2023. Both ecosystems plan to retire the 2011 keys in June 2026.

When the old keys expire, the firmware will still accept them for boot, but any new updates that rely on the newer CA – such as Windows Boot Manager patches, Linux shim updates, or revocation lists – will be rejected. That means emerging boot-level malware could bypass the protection you thought you had.

Impact on Windows machines

Microsoft’s support article (May 18 2026) explains that devices with the 2011 KEK or DB entries will keep booting after June 2026, but they will no longer receive new Secure Boot protections. The impact includes:

• ❌ No new Windows Boot Manager signatures.
• ❌ No updates to the Secure Boot DBX revocation list.
• ❌ No mitigations for newly discovered boot-level vulnerabilities.

Most consumer PCs built after 2024 already contain the 2023 certificates, so they are safe. Older devices – especially corporate laptops from 2015-2019 – often need a firmware update from the OEM before Windows can write the new certificates.

Microsoft will push the 2023 certificates through Windows Update for any device that reports a pending Event ID 1801 (certificate not applied). If the event persists, the IT admin must run the SecureBootCertificateUpdate.ps1 script and, if required, flash the latest BIOS/UEFI from the OEM.

Impact on Linux machines

Linux relies on the shim bootloader, which is signed by a Microsoft key (for UEFI Secure Boot) and a distribution-specific key stored in the db variable. The shim project added a new signing key in 2023. Distributions such as Ubuntu, Fedora, and openSUSE ship the new shim and updated db/dbx entries via their regular package updates.

If a Linux system still uses the 2011 Microsoft key, it will boot after June 2026, but any future shim releases – which include patches for Spectre-type boot exploits – will be blocked. The system will also miss new revocation entries that protect against compromised bootloaders.

Unlike Windows, Linux does not have a centralized update channel for firmware. The responsibility falls on the user or the distro’s hardware enablement (HWE) stack. Most major OEMs release a UEFI firmware update that adds the 2023 Microsoft KEK; the distro’s package manager then writes the new db/dbx entries using mokutil.

How to check if your device is affected

Run the following commands before the June 2026 deadline.

# Windows PowerShell
Get-SecureBootPolicy -PolicyType KEK | Where-Object {$_.NotAfter -lt (Get-Date "2026-06-30")}

# Linux (bash)
sudo mokutil --list-enrolled | grep -i "Microsoft" | grep -i "2011"

If the output shows a certificate with a NotAfter date before July 2026, you need to act.

Step-by-step Windows update guide

1️⃣ Open Settings → Windows Update. Ensure you are on the latest cumulative update (KB2026-SecureBoot).
2️⃣ Check Event Viewer for ID 1801 or 1808 under "Microsoft-Windows-SecureBoot/Operational".
3️⃣ If ID 1801 appears, run the PowerShell script provided by Microsoft:

Set-ExecutionPolicy RemoteSigned -Scope Process
Import-Module SecureBoot
Update-SecureBootCertificate -CertificatePath "C:\Certificates\Microsoft_Uefi_CA_2023.cer"

4️⃣ Reboot. Verify the new certificate with the PowerShell command from the previous section. 5️⃣ If the script fails, download the latest BIOS/UEFI firmware from your OEM (Dell, HP, Lenovo, etc.) and flash it. Most OEMs label the update "Secure Boot Certificate Support 2023". 6️⃣ After flashing, repeat step 3.

Tip: Enroll the device in Microsoft’s Controlled Feature Rollout (CFR) to receive the certificates even if diagnostic data sharing is disabled.

Step-by-step Linux update guide

1️⃣ Update your distro to the latest kernel and shim packages. For Ubuntu:

sudo apt update && sudo apt full-upgrade

2️⃣ Install the latest shim and mokutil packages:

sudo apt install shim-signed mokutil

3️⃣ Enroll the new Microsoft 2023 key:

sudo mokutil --import /usr/share/shim/keys/Microsoft_Uefi_CA_2023.cer

You will be prompted to create a password for the MOK manager. 4️⃣ Reboot. The MOK manager screen appears; select "Enroll MOK" and follow the prompts. 5️⃣ After boot, verify the db variable:

sudo mokutil --list-enrolled | grep -i "Microsoft_Uefi_CA_2023"

6️⃣ If your firmware still rejects the new key, download the latest UEFI firmware from the OEM and flash it using the vendor’s tool (e.g., fwupd on Linux).

Comparison: Windows vs Linux Secure Boot updates

Aspect	Windows	Linux
Update delivery	Windows Update (automatic for most devices) + optional OEM firmware	Distro package manager + manual mokutil enrollment; firmware update via fwupd or OEM tool
Typical user action	Run PowerShell script if Event ID 1801 persists	Run apt/dnf/zypper update, then mokutil import
Certificate source	Microsoft UEFI CA 2023 (downloaded by Windows)	Microsoft UEFI CA 2023 bundled with shim package
Risk if not updated	Miss future boot-level patches; older DBX revocations	Miss shim updates, revocation list, and new boot-level mitigations
Support timeline	Microsoft supports updates through Windows 11 2028	Most major distros support updates through 2028 LTS releases

Original analysis: What the expiration means for security strategy

Many organizations treat Secure Boot as a "set-and-forget" control. The 2026 expiration forces a shift from passive reliance to active lifecycle management. In practice, the cost of a missed certificate is not a broken system but a growing attack surface. New boot-level exploits discovered after June 2026 will bypass the old DBX, giving attackers a foothold before the OS even loads.

For enterprises, the real ROI comes from integrating certificate health checks into existing compliance tooling (e.g., SCCM, Jamf, or Ansible). A simple script that queries the NotAfter date and raises a ticket can prevent dozens of vulnerable endpoints.

For developers building custom firmware or embedded Linux, the deadline is a reminder to embed the 2023 CA in the build pipeline now. Shipping a device with the old key after 2026 will require a field-replaceable firmware update – a costly and time-consuming process.

Who should use this guide?

• ✅ IT admins managing Windows 10/11 fleets older than 2022.
• ✅ Linux sysadmins of Ubuntu, Fedora, or openSUSE servers built before 2023.
• ✅ OEM engineers planning firmware releases for 2026-2028.
• ✅ Security auditors who need to verify Secure Boot compliance.

If you fall into any of these groups, follow the step-by-step sections now. Delaying past June 2026 will force you to patch devices under pressure, which often leads to missed updates and compliance gaps.

Bottom line

The Secure Boot key expiration in June 2026 is not a show-stopper, but it is a warning sign. Windows users can rely on automatic updates, but they must verify that the 2023 certificates are present. Linux users need to run a few commands and enroll the new key manually. Both platforms benefit from proactive monitoring and firmware readiness.

Take action today: run the checks, apply the updates, and document the process. Your devices will stay boot-secure, and you will avoid a scramble when the certificates finally expire.