Secure Boot key expiration: Critical update needed by June 24

A looming deadline is forcing Windows and Linux users to act before a critical security mechanism weakens. Three cryptographic certificates used by Secure Boot—a security feature designed to prevent unauthorized early boot software—will expire on June 24. Without updating these keys, systems may become susceptible to firmware-level malware that loads before the operating system even starts.

Why Secure Boot matters and what’s at risk

Secure Boot is a security standard baked into most modern PCs to block malicious code from executing during the earliest stages of system boot. It verifies digital signatures on firmware and bootloaders to ensure only trusted software runs before the operating system loads. When Secure Boot fails—whether due to expired keys or misconfiguration—it creates an opening for bootkits, a particularly stealthy type of malware.

Bootkits embed themselves in firmware or bootloaders, loading before antivirus software, firewalls, or even the OS kernel. Once active, they can silently steal credentials, install backdoors, or reinfect systems even after a clean OS reinstall. Because these infections occur before the OS boots, traditional security tools often miss them entirely.

Who is affected and what to do next

The impact spans Windows and Linux systems that rely on Secure Boot, including those running Windows 11, Windows 10, and popular Linux distributions such as Ubuntu, Fedora, and Debian. Microsoft has outlined the affected certificates and provided guidance in its official documentation, emphasizing that users should verify their systems are running the latest firmware and bootloader versions before the deadline.

To check if your system needs updates:

• Restart your device and enter the UEFI/BIOS settings (usually by pressing a key like F2, F12, DEL, or ESC during boot).
• Look for a Secure Boot configuration section and confirm whether the status is "Enabled."
• Check for firmware updates from your motherboard or device manufacturer.
• If using Linux, run sudo mokutil --sb-state in the terminal to verify Secure Boot status.

Most modern systems should receive updates automatically through manufacturer-provided tools or via Windows Update. For manually installed systems or custom builds, users may need to download firmware updates directly from the motherboard vendor’s website.

The stakes: Preventing silent, persistent attacks

The expiration of these certificates isn’t just a technical nuisance—it’s a potential security gap that adversaries could exploit to deploy undetectable malware. Even organizations with robust endpoint protection may overlook boot-level threats without proactive checks. Microsoft’s warning underscores the importance of routine firmware maintenance, a often-overlooked layer of cybersecurity hygiene.

Users who delay updates risk leaving their systems exposed until the next boot cycle, at which point malware could already be entrenched. While the risk is real, the solution is straightforward: update firmware, verify Secure Boot status, and stay vigilant about manufacturer notifications.

The June 24 deadline serves as a reminder that security isn’t just about software patches—it’s about the entire boot chain, from firmware to OS. Taking action now could prevent a costly and hard-to-remove infection later.