Multiple Microsoft secure boot keys expiring in 2026
Multiple Microsoft secure boot keys expiring in 2026
Posted Jul 16, 2025 19:48 UTC (Wed) by ewen (subscriber, #4772)Parent article: Linux and Secure Boot certificate expiration
https://support.microsoft.com/en-us/topic/windows-secure-...
Including the key used for updating the other keys (the Key Exchange Key aka KEK).
And Microsoft only really started on this replacement rollout in 2023, which means even systems bought as recently as 2023 or 2024 probably have to go through the key update / replacement process.
Also note that if you have a dual boot system with Microsoft Windows using a TPM unlocked Bitlocker (ie automagically) then that is tied to the secure boot measurements, and thus will change when the keys used also change. Microsoft Windows supposedly can handle the new key / measurements expected… but only if it updates the secure boot keys itself, and thus updates the expected measurements to unlock the Bitlocker encryption.
I suspect this will be a “fun” transition for any systems not on the happy path of very recent hardware, active BIOS updates / vendor, single OS boot, update managed by that OS vendor. And anyone with TPM / secure boot secured encrypted disks would be wise to have good backups (of the recovery keys and disk contents).
Ewen
Posted Jul 16, 2025 19:59 UTC (Wed)
by ewen (subscriber, #4772)
[Link]
https://uefi.org/sites/default/files/resources/Evolving%2...
https://m.youtube.com/watch?v=o7kg1gX-KNc
And fortunately from the Microsoft collection of vendor (Platform Key signed) key updates it does at least look like Microsoft have managed to get pretty much all major platform vendors involved in the rollover process by now.
But it’s still going to be “fun” that the Linux secure boot shim signing is going to be one of the first things pushed through only being signed by the new Microsoft secure boot CA trust chain :-/
Ewen
Multiple Microsoft secure boot keys expiring in 2026