Microsoft Secure Boot Certificate Expiry Leaves Linux Boot Media and Azure VMs in the Lurch
23.06.2026 - 13:05:34 | boerse-global.de
Linux users who rely on Microsoft’s Secure Boot keys to boot their systems face a double deadline this year. While the main Microsoft Secure Boot certificates expire on June 24, 2026, a separate certificate crucial for Linux installation media will run out on September 11. That means anyone wanting to receive Shim updates after June 27 must already have the new 2023 keys integrated.
Without switching to the latest certificates, computers will still boot and run normally, but they lose the ability to install new security patches for the boot process and updated block lists (DBX updates). Over time, this leaves them more exposed to bootkit attacks. The expiry affects keys including the Microsoft Corporation KEK CA 2011, the UEFI CA 2011, and the Windows Production PCA 2011. Microsoft has released detailed guides to help users migrate to the 2023 generation certificates.
Windows 11 users can check their Secure Boot status inside the Windows Security app, where a traffic-light indicator shows whether the configuration is current. Administrators can also query the status via PowerShell; if the check for the Windows UEFI CA 2023 returns True, the system is already on the new standard.
Older hardware poses a challenge because some firmware versions do not directly support the 2023 keys. In those cases, BIOS updates from manufacturers are required. Experts recommend also checking the Linux Vendor Firmware Service (LVFS) or manually adding the keys in the UEFI settings.
For Azure virtual machines with Trusted Launch or Confidential VMs, Microsoft has published separate guidance. A particular sticking point: Linux confidential VMs created before April 2024. The certificate update on those VMs can fail because the sealing mechanism relies on the virtual Trusted Platform Module (vTPM), and the process may be disrupted, causing the system to boot into recovery mode. Microsoft advises recreating the affected VMs in such cases.
The certificate migration coincides with other Microsoft updates. Since June 22, the company has been pushing the Windows 25H2 update to Home and Pro users, with support for older versions ending in October 2026. Version 26H2 is slated for the second half of the year as a feature enablement package on the existing platform. Separately, the Five Eyes intelligence alliance recently warned about the growing complexity of AI-powered cyberattacks, urging companies to treat cybersecurity as a strategic business risk that belongs in the boardroom. In parallel, Microsoft, Google, and Cloudflare are working on the PACT protocol, which aims to improve bot defence through anonymous tokens without conventional tracking.
