Original article excerpt
Server-side extracted preview paragraphs from the original source.
The first Windows Secure Boot expiration date is here for more than a billion PCs, with more to come - and even some Linux distros are affected. Is your PC ready?
Last year's end-of-support deadline for Windows 10 was a big test for consumers and IT pros alike. Congratulations -- everyone passed! Before you start celebrating, though, pay attention to another crucial expiration date that's arriving this week. Four crucial Microsoft security certificates are expiring, with the first one expiring today, June 24, 2026.
Microsoft has been refreshingly transparent about what it's doing to replace these old certificates, with guidance for both consumers and enterprise customers. It also added an easy way for anyone to check the status of the certificates, using the built-in Windows Security utility. (More details on that later in this post.) Oh, and now might be a really good time to make sure you have saved a copy of your BitLocker recovery key, just in case.
Also: This free Windows tool shows exactly why my PC is slowing down (and it beats Task Manager)
This deadline is a little more complicated than the Windows 10 end-of-support date. To understand why, we need to talk about a core security feature found in every Windows PC designed and built since 2011: Secure Boot. This feature, enabled by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper, allowing only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt.
All currently supported versions of Windows support Secure Boot, as do an increasing number of Linux distributions, including Ubuntu, Fedora, Linux Mint, OpenSUSE, and a host of others.
Secure Boot relies on a chain of cryptographic certificates that verify each boot component's signature. One of the most important certificates is the Key Enrollment Key (KEK), which is also sometimes called the Key Exchange Key. It sits in the UEFI firmware on every modern PC and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX).