Our Take
This is not a security patch you can skip—machines that don't update will stop being protected against new UEFI threats, but they'll keep working, which is why most users will ignore it until it's too late.
Why it matters
UEFI bootkits load before your operating system and are nearly impossible to remove even with a full OS reinstall. The LogoFail vulnerability discovered in 2023 made this threat concrete for almost every Windows and Linux machine in use today.
Do this week
IT teams: Check Windows Security > Device Security > Secure Boot on every managed device this week so you can identify machines that need manual updates before June 24.
Three Secure Boot certificates expire June 24
Microsoft-signed cryptographic keys that protect your system's boot sequence will expire on June 24, 2026. These certificates are the foundation of Secure Boot, an industry standard that verifies the digital signatures of all code loaded during system startup. Windows 10 and Windows 11 machines are receiving updated certificates through regular monthly patches. Linux distributors are updating "shims," the small firmware bootloaders that bridge Secure Boot and the Linux kernel.
Machines that don't update will continue to function normally, but they lose protection against new UEFI-level attacks. To check your status on Windows, open Windows Security, go to Device Security, and look for Secure Boot. A green checkmark means the update is complete. Older machines may require manual intervention.
Bootkits are the malware you cannot remove
UEFI bootkits infect your system's firmware and load before the operating system. Once installed, they can load malware at each startup, steal credentials, backdoor the system, or reinstall themselves even after you wipe the OS clean. They survive full system reinstallation.
Real-world UEFI attacks have been documented since 2018. LoJax, deployed by Kremlin-backed hackers, was the first known case. MosaicRegressor followed in 2020. Others have emerged under names including ESpecter, FinSpy, and MoonBounce. The LogoFail vulnerability discovered in 2023 exposed a critical weakness in the image-parsing code that displays manufacturer logos during boot—a flaw present in UEFI implementations on nearly every Windows and Linux system in the world. Attackers could exploit this to bypass Secure Boot entirely and inject malicious firmware.
The key refresh is Microsoft's response to LogoFail. New certificates dated 2023 replace the 2011-era signatures that the vulnerability exploits. Without the update, your machine remains vulnerable to the specific attack vector LogoFail demonstrated, plus any future UEFI attacks that may emerge.
Plan for stragglers now
Most Windows machines will receive the updated keys automatically through monthly Windows Update. Older hardware, machines on delayed patching schedules, or systems running on legacy firmware may not update on their own and will require manual certificate installation or firmware updates.
Don't install new motherboard firmware updates until after the new Secure Boot certificates are in place. Firmware updates can complicate the key refresh process. Audit your fleet by June 20 to identify machines that haven't completed the update, then schedule manual remediation before the June 24 deadline. After expiration, unpatched machines will not fail to boot, but they will be unprotected against the entire class of threats Secure Boot was designed to prevent.