Secure Boot certificates on most computers expire in June and October 2026, affecting Windows 11, Windows 10 and Linux systems with secure boot activated. This video explains what is happening, the implications, and what you may potentially need to do. But do not panic! Most systems should update automatically, and even if they don’t, should continue to boot. REFERENCES: Microsoft Secure Boot certificate expiry page: https://support.microsoft.com/en-gb/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e Microsoft Windows Secuirty app Secure Boot update status: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 LINUX COMMANDS Please note that all commands are entered at your own risk. Check secure boot status: sudo mokutil --sb-state Check status of secure boot authorized signature database (DB) and key enrollment key database (KEK): sudo mokutil --db sudo mokutil --kek Firmware Update daemon commands: Refresh metadata: sudo fwupdmgr refresh Check available updates: sudo fwupdmgr get-updates Get updates: sudo fwupdmgr update More videos on computing and related topics can be found at: http://www.youtube.com/@ExplainingComputers And more videos on film and other making, plus retro tech, can be found on my Christopher Barnatt channel: http://www.youtube.com/@ChristopherBarnatt Chapters: 00:00 Titles & Intro 00:51 Secure Boot & Certificates 05:02 Windows Updates 12:44 Firmware (UEFI/BIOS) Update 16:12 Linux Updates 20:33 Wrap #SecureBoot #certificate #UEFI #signature #Windows #Windows10 #Windows11 #Linux #update #ExplainingComputers
ADVERTISEMENT
It's time we securely give Microsoft the boot.
Miroslop: "A trusted software provider" Hahaha, wait, hahahaha.
Microsoft is NOT a trusted software provider.
Secure boot..... Microsoft giving me permission to boot my Linux machine. It's why I leave it off.
To me, secureboot is something I switch off.
Perfect timing for my replacement of MS with LINUX
After watching your video and checking it myself, it turn out that I left secureboot off since I first built my PC lol.
I have the BIOS set to 'legacy', LOL.
Pretty sure Windows 11 is malware.
Im just dipping my feet into the deeper understanding of computers and when the algorithm decided to fear-headline me with this news I genuinely thought my simple 2021 gaming PC was gonna brick itself. Appreciate you always calmly explaining things bit by bit on this channel, and not relying on ridiculous thumbnails nor speaking as if you're talking to children. This channel has been a great resource for me as I've been growing beyond just turning my PC on and not understanding anything about it. Im even getting into things ive been too afraid to do before such as BIOS updates (still making me anxious ngl) because of this channel helping me gain some more computer skills. Cheers to you, and thank you for sharing your knowledge.
Afternoon, Chris. Secure boot, it's pain in the butt as far as linux is concerned. Especially booting into Linux. 🙄
TT! 🎉 I want a NON-MS certificate as MS can NOT be trusted!
Back when secure boot was first introduced we all knew this was just Microsoft flexing it's muscles with it's OEM partners to frustrate Linux adoption rather than for any security concerns and I am glad years later this is all blowing up their face.
6:17 "Your PC doesn't currently meet the minimum system requirements to run Windows 11" and one of the options under that line discusses trading in or recycling your computer. I think we all know what the alternative to that is... 😉🐧
Now I know for sure: Secure boot > disable .
I think a video on good certificates would be huge!
sudo mokutil --kek | egrep 'key|Subject:|Before:|After :' sudo mokutil --db | egrep 'key|Subject:|Before:|After :' gives an abbreviated output with just the necessary lines.
At this point, I just take my chances with less security. I just can't anymore. People bring up "security" like it's a magic spell that justifies any and all onerous measures and experiences, without any thoughtful analysis of whether the very real costs outweighs the limited benefits. There's so much distrust, and deservedly so, with everything Microsoft touches, that their touch taints the experience of every project they're involved in. At this point, my risk appetite exceeds my fatigue with everything they've ruined that once worked. If I ever do get hacked because I didn't use Secure Boot, at least I didn't have to deal with anything MS is associated with.
Secure Boot _COULD_ actually be secure if it was designed correctly. Hardware tokens like YubiKey and private CA cert options would go a long way to enabling the technology for every OS. Either corporate IT-managed style of Secure Boot deployed as part of a corporate image deployment strategy (private CA) or at-boot hardware key authentication (hardware token) or some combination of those two things. As it is, turning it off and leaving it turned off for all OSes is the best option. How it would work is you use a hardware token or UEFI boot application to load your public key certificate(s) and digitally sign your own bootloader/firmware with the private key. Microsoft is then entirely uninvolved (and unnecessary).
this is the first video on this topic I've seen that explains concisely the impact, how to check and how to resolve. thank you.