PCs without the new certificates could eventually have trouble booting new OSes.
See full article...
See full article...
Microsoft sounds the alarm about Secure Boot certificates expiring later this year
- Thread starter JournalBot
- Start date
With how good the windows 11 updates and copilot rollouts have been what could possibly go wrong with Microslops management of secure boot certificates. I'm sure they have their best prompt engineers on this problem.
Upvote
159
(178
/
-19)
Horrible PR messaging. Most users will see that, believe they don't have to do anything, and stop reading any additional statements.
Upvote
127
(129
/
-2)
Oh almost had a heart attack. So it's only if you're using a system that's trying to use Windows 11. And not older versions. Only Windows 11 without updated certificates will refuse to boot. Which is good to know but not that deadly.
Though with this exercise and a certificate this widespread. Wouldn't it be prudent now to update it every few years while it does have a long lifespan. Rather than wait 15 years to always keep the clock running.
Though with this exercise and a certificate this widespread. Wouldn't it be prudent now to update it every few years while it does have a long lifespan. Rather than wait 15 years to always keep the clock running.
Upvote
48
(57
/
-9)
I think they had a roughly 3 year overlap, which is probably sufficient.
Upvote
7
(12
/
-5)
For anyone with managed updates, you may also want to check WindowsUEFICA2023Capable within following registry key.
If the value is not 2, you will want to go up one level to
and set "AvailableUpdates" to 0x5944 to prompt it to update (will take 2 restarts)
Ref: https://support.microsoft.com/en-us...-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d
HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\ServicingIf the value is not 2, you will want to go up one level to
HKLM:\SYSTEM\CurrentControlSet\Control\SecureBootand set "AvailableUpdates" to 0x5944 to prompt it to update (will take 2 restarts)
Ref: https://support.microsoft.com/en-us...-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d
Upvote
45
(45
/
0)
Well i'm on a 10 machine now. Without ESU. And no update was pushed to be since all this time Even though technically the machine isn't 11 capable. So not really an issue. But still. You time bomb everything by not keeping the expiration updated only leaving a very short window to get it done or even possibly not at all. We assume Microsoft will be around "Forever" but think about infrastructure machines still running some Unix variant of a company that no longer exists 40 year old equipment now where no update will ever happen. Imagine a machine running off grid that controls waterflow never gets replaced and just dies because after a reboot and this is the reason.
EDIT: SHORT WINDOW clarification. I mean short window in government molasses infrastructure changes terms. Hell my subway system was still running Windows NT 4.0 in the year 2025. And that was a 5 year process to get everything changed out.
Last edited:
Upvote
40
(42
/
-2)
Well, if it isn't the consequences for my bad ideas to replace bios
I'm sure updating UEFI keys on machines that won't boot will be easy
I'm sure updating UEFI keys on machines that won't boot will be easy
Upvote
-5
(8
/
-13)
So, just to be clear, if one is running Windows 10 and doesn't have Secure Boot enabled there, and doesn't plan to update that box to Windows 11 ever, they don't need to worry about this impacting them? Or do they?
Upvote
73
(73
/
0)
Resistance
Wise, Aged Ars Veteran
The impression I get from this is that every motherboard sold before a certain very recent date will not have up to date certificates? This instead of the addition of new certificates every 3 years which would have meant that as long as your motherboard is less than 15-3 years old you'd be guaranteed to have a compatible certificate?
Upvote
22
(22
/
0)
Just to be clear before the "Everyone should be using Linux now" crowd arrives, this could affect Linux distros that use secureboot too, popular among them Mint and Fedora. (One of the reasons I just turned it off in BIOS before installing Fedora myself last month)
Upvote
85
(88
/
-3)
a note to linux users with SecureBoot enabled... you need to be sure the MS cert is updated too. the MS cert shows up in the DB and KEK output on my Fedora install. i do believe current/recent versions of the cert are updated. my install is Fedora 38, and i need to update which should have the updated cert, if it is still depended on.
Code:
mokutil \
--db > secureBootDB.txt
mokutil \
--kek > secureBootKEK.txt
cat secureBoot*
Upvote
52
(52
/
0)
I'm so sick of expiring certificates breaking old devices. We need something better than this, though no clue what that would look like
Upvote
59
(64
/
-5)
Yes, preventing the PC from even booting into the OS install media definitely ensures total security.
Upvote
104
(120
/
-16)
How convenient of Microsoft to bring it up shortly after the end of standard support for Win10. So to get the updates you'll need to sign up to ESU. Which means you need a Microsoft account.
No doubt the timing is a complete coincidence.
Upvote
73
(80
/
-7)
Not to mention, it’s not completely true. I’m nearly 100% sure that lack of Secure Boot on systems capable of it will trigger anti-cheat detection systems and it’s likely that other system level software may be affected, whether by intentional design or by bugs in untested code (pretty sure few software makers routinely test this case).
Upvote
10
(11
/
-1)
This sounds a bit like a boogeyman threat: to install Windows 11 your system is required to support Secure Boot, but not required to actually use Secure Boot. If they were really worried about future OS/software compatibility issues perhaps they should require the use of Secure Boot as a first step?
Upvote
10
(11
/
-1)
As I was reading through this, I was thinking "if this is so complicated on Windows, it's gonna really suck to do this on my Lin...what the hell has gone wrong with the computing world? Microsoft is going to force us into the Year of the Linux Desktop?"
Upvote
4
(12
/
-8)
To some extent, I mean, security is an onion and you want as many layers as possible. But if you have some malware attacking your bootloader things have gone pretty deeply wrong.
Upvote
50
(53
/
-3)
I used to repair PCs and prior to the switch to UEFI with Secure Boot, saw bootkits all the time on Windows 7 and older. I literally never saw a single one from approximately 2012-2016 on a PC with Windows 8 or newer and Secure Boot on.
Upvote
48
(51
/
-3)
To clarify, if you don't update your motherboard/computer with the new 2023 certificates before the 2011 certificates expire later this year are you still able to update to the new 2023 certificates after the 2011 certificates expire? Or are you going to be forever blocked from installing the 2023 certificates (ie. updating to a newer certificate can only occur before the existing certificate expires)?
I'm very curious why Microsoft waits 12 years between updating certificates instead of on a rolling basis so that it doesn't leave such a huge install base vulnerable and requiring updates at one time? They don't have to issue new certificates yearly and they don't need to shorten the validity period of the certificates, but say new certificates every 5 years each valid for 15 years provides a much more structured update cycle.
Last edited:
Upvote
97
(97
/
0)
Suppose they brought them to you because something had gone deeply wrong!
Upvote
17
(19
/
-2)
Upvote
-7
(5
/
-12)
Why should I have to do anything? I don't want my computer locked up by Microsoft...
Not coincidentally I picked up my new gaming PC on the weekend. It does not even have a Windows license, let alone an installation.
Not coincidentally I picked up my new gaming PC on the weekend. It does not even have a Windows license, let alone an installation.
Upvote
-4
(17
/
-21)
Hmm, I have a Dell Optiplex 3060 and I just updated the BIOS from 1.31.0 to 1.32.0, and still no new cert. My test comes up "false", even though I do have secure boot enabled and running Win 11 Pro 25H2.
Upvote
13
(13
/
0)
The cert validates .EFI files that are used for booting. All that matters is that the cert matches the one the .EFI is signed with.
The issue with the expiration is that going forward the .EFIs will be only signed with the new cert. This means that you can't update the .EFI if the PC only has the old cert.
The calendar date isn't checked so it's not going to be a no-boot situation.
So for all you guys who pride yourself on never applying any updates you'll be fine.
The problem cases are using old install media on a new PC, or new install media on an old PC. The workaround is turn off secure boot. As mentioned above this will also affect Linux distros that use secure boot.
The other case is wanting to update the existing boot.efi because of an exploit.
The issue with the expiration is that going forward the .EFIs will be only signed with the new cert. This means that you can't update the .EFI if the PC only has the old cert.
The calendar date isn't checked so it's not going to be a no-boot situation.
So for all you guys who pride yourself on never applying any updates you'll be fine.
The problem cases are using old install media on a new PC, or new install media on an old PC. The workaround is turn off secure boot. As mentioned above this will also affect Linux distros that use secure boot.
The other case is wanting to update the existing boot.efi because of an exploit.
Upvote
28
(28
/
0)
YetAnotherAnonymousAppellation
Ars Praefectus
I just checked the HP site linked in the article and HP bluntly states that my laptop bought in 2017 and still meeting my needs just fine (I'm posting from it) is not supported because "HP no longer supports those platforms." HP is already on my "never, ever buy from these bleeps again" list for other past issues so this doesn't surprise me. This post is just my continuing warning to people that "Friends don't let friends buy HP products."
Upvote
59
(61
/
-2)
Is there something off with the code? I tried both PowerShell and Terminal in Windows 11 and it seems to get an error, unless its just operator error:
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:43
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand
(Edit: the second code example does work and returns False)
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:43
- ... System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) ...
- ~~~~~~~~~~~~~~~~~~~~~
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand
(Edit: the second code example does work and returns False)
Upvote
7
(7
/
0)
I love how PC users / console users / phone users etc. use 'flawless' to describe 'Well, it's kind of a PoS with all these irritations and oh jesus I hate it when it does this or that happens oh god it wants to reboot again but it mostly just works and it's less hassle than switching to something else and I want you to switch to this too to share the pain, so trust me bro it's 100% FLAWLESS.'
There's not a flawless product out there. Windows 11 comes nowhere near one.
Upvote
7
(23
/
-16)
Using W10 without secure boot and using legacy boot from previous dual boot. Oops. Not that I was planning to update to W11 ever anyway. But I have a fairly recent ish x570 AMD mobo so guess I'll have to turn it on and make sure it's updated at least.
Upvote
-1
(1
/
-2)
The potential here is for systems to get missed that people don't think about. Things like bare metal hypervisors, embedded appliances, SAN storage array controllers, network load balancers, etc. This is something that can cause problems for any system that uses UEFI and has Secure Boot enabled. It doesn't have to be an end user device. Secure Boot is all over the place now and isn't just a Windows problem.
The IT industry in general handed MS the keys to deal with UEFI secure boot certs back in 2011 when they wanted it for Windows 8. Fast forward to today and Secure Boot it is all over the place, and sometimes where you might not expect it. For those saying that it isn't worth it and just turn it off... remember that root kits are a real thing!
MS is hosting AMA sessions about this problem and if you want to learn more about what is happening, here is the link to the most recent one: https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot/4486023
The IT industry in general handed MS the keys to deal with UEFI secure boot certs back in 2011 when they wanted it for Windows 8. Fast forward to today and Secure Boot it is all over the place, and sometimes where you might not expect it. For those saying that it isn't worth it and just turn it off... remember that root kits are a real thing!
MS is hosting AMA sessions about this problem and if you want to learn more about what is happening, here is the link to the most recent one: https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot/4486023
Upvote
16
(18
/
-2)
YetAnotherAnonymousAppellation
Ars Praefectus
As someone currently in the process of moving to Linux from Windows, all I can say is "BS." I won't bother listing the numerous issues I've encountered on my quest to install Mint (massaged Ubuntu) on my laptop, but I will mention the most serious.
My laptop won't currently boot into Mint, probably because of a change I made (using the GUI) to the resolution of my two monitors. It was perfectly happy talking to both of them and then I foolishly rebooted. Now the Linux installation is effectively bricked.
Upvote
3
(19
/
-16)
I know people joke about this all the time, but I really did move to Linux 6 months ago and it's a genuine option for almost anyone who regularly reads Ars (giant nerds).
Upvote
14
(26
/
-12)
This is likely because secure boot is not enabled on the PC.
I have the same message on my older Acer Swift 3 (2020) and was puzzled to see that secure boot is not enabled despite performing an upgrade to Win 11 25H2 from Win 10 22H2. I do not remember turning it off, so it might have been disabled since the last BIOS update available in 2022.
Upvote
3
(3
/
0)
i had this issue, secure boot was enabled in the bios but showed as disabled in msinfo32. disabling CSM and resetting keys worked for me, though.
Upvote
4
(4
/
0)