Secure Boot is a security check that runs when a computer starts, verifying firmware signatures to block malware loading before the operating system. Three Microsoft signed certificates at the heart of Secure Boot expire on June 24, 2026.
A security mechanism that runs before Windows or Linux even starts is approaching a deadline. Three Microsoft-signed certificates at the heart of Secure Boot expire on June 24, 2026, and computers that have not updated their firmware by then could fail to boot or expose new gaps to a class of malware that hides below the operating system, according to an Ars Technica explainer.
Secure Boot is a chain of trust that lives in the UEFI firmware, the modern replacement for the BIOS startup screen. When a computer turns on, Secure Boot checks the digital signature of every piece of software that loads during startup, from low-level firmware drivers through the bootloader that hands off to the operating system. If a signature does not match a certificate the firmware trusts, the system refuses to load it. The point is to block UEFI bootkits, a category of malware that infects the firmware layer beneath the operating system and therefore loads before any antivirus program has a chance to intervene. Once installed, those bootkits typically stage credential-stealing payloads or other malware onto the operating system once it finally comes up.
The certificates that anchor this check are themselves software, and like any cryptographic object they have an expiration date. Microsoft rotates its Secure Boot signing certificates on a multi-year cycle. The current batch of three certificates reaches its end of life on June 24, 2026, Ars Technica reports.
The exposure is not limited to Windows. Many Linux distributions rely on the same Microsoft-signed Secure Boot certificate chain to verify their bootloaders, which means a single expiration event affects two platforms at once. The Ars Technica piece is a trade-press explainer, and the underlying Microsoft advisory had not been independently fetched for this draft; specific certificate names, SHA values, and step-by-step remediation commands should be cross-checked against Microsoft's published schedule before being treated as authoritative.
For most users the fix lives at the firmware level, not the operating system level. A UEFI firmware update, often called a BIOS update, is what refreshes the certificate database inside the chip that controls startup. Operating system patches alone will not save a machine whose firmware still holds expired certificates. That is why the deadline matters even for users who keep their software up to date. A Secure Boot rotation is one of the rare cases where the security boundary sits below the operating system, in hardware that does not auto-update through the usual channels.
The upside is that the rotation itself is a planned event rather than an emergency. Certificate authorities expire on a published schedule so that vendors, distributions, and end users have time to prepare. The question for the next nine days is whether firmware updates have actually reached the devices people rely on, and whether Linux distributions that lean on Microsoft's certificate chain have shipped the updated shims that bridge the gap. For anyone who has ever wondered what Secure Boot actually does, the answer is that it is the one piece of the boot process designed to refuse to load anything it cannot prove is trustworthy. On June 24, 2026, the proof is changing.