Particle.news
Get it on Google Play
Download on the App Store
3 ARTICLES
·
3h ago

Microsoft’s 2011 Secure Boot Certificates Begin Expiring, Raising Update and Compatibility Risks

The staged June 24 expiry starts a messy transition that will reduce early-boot protections for machines that do not receive 2023 replacement keys via vendor or Windows updates.

A 2011 cryptographic key buried inside almost every PC on earth quietly expires this week — and the cleanup is going to expose which IT departments have been faking their patch reports for a decade
Image

Overview

  • The Microsoft KEK CA 2011 certificate expires on Wednesday, June 24, 2026, starting a staged retirement of the 2011 Secure Boot trust anchors stored in PC firmware.
  • Microsoft says most supported Windows 10 and 11 devices will get the 2023 replacement certificates automatically through Windows Update but older hardware, enterprise fleets, servers and virtual machines may require manual or vendor action.
  • Machines that miss the new keys generally will continue to boot normally but will lose the ability to receive future boot-level revocations and mitigations, which weakens early-boot security over time.
  • Linux install workflows face a looming compatibility problem because the shim bootloader is signed with a 2011 Microsoft key that expires in September, so installation media will fail Secure Boot unless shim is re-signed with the 2023 key or firmware receives the new key.
  • Delivery tools such as LVFS/fwupd and vendor firmware updates are rolling out KEK/db changes with high success rates but known failure modes exist, including efivarfs write errors and rare platform-key problems, so administrators should inventory firmware states, test representative units, stage rollouts and be prepared to use firmware updates or temporarily disable Secure Boot for some installs.