Windows Secure Boot certificates set to expire in June – here's what it means for your PC

DragonSlayer101

Posts: 983   +14
Staff
The big picture: The Secure Boot certificates Microsoft originally issued in 2011 for Windows devices are set to expire next month. The company is currently rolling out new Secure Boot keys to eligible devices and has warned that PCs not updated with the latest firmware could become vulnerable to malware and boot-level threats.

In an Ask Microsoft Anything livestream on YouTube, Microsoft Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Group Engineering Manager Richard Powell answered a range of questions about Secure Boot, including its importance for Windows devices, how to update to the latest version, and what could happen if users fail to do so.

Secure Boot is a Windows security feature designed to protect PCs by preventing malware from loading during the boot process. It establishes a "chain of trust" by verifying the digital signatures of all boot software, including UEFI firmware drivers, EFI applications, and the operating system itself. This ensures that the device boots only with software and services trusted by the PC manufacturer.

With the older 2011 Secure Boot certificates set to expire next month, Microsoft engineers revealed that the company has begun rolling out the new UEFI CA 2023 certificates to all supported devices via Windows Update. They added that all Windows 11 devices manufactured since 2024 are either shipping with the new certificates or have already received the update.

Windows users with older devices can check compatibility in the Windows Security app. According to Microsoft, all supported devices will automatically receive the new keys, though some systems may require additional firmware updates from their respective OEMs.

The trio confirmed that devices that have not yet updated to the new certificates will continue to operate normally and receive standard security updates. However, they will not be able to support newer security protections for the early boot process, potentially leaving them more vulnerable to bootkits, firmware rootkits, and boot-sector viruses.

It is worth noting that older devices using legacy BIOS firmware are physically incompatible with Secure Boot, so Windows will skip the update entirely. However, if a PC uses the Compatibility Support Module to emulate legacy BIOS while still running modern UEFI firmware compatible with Secure Boot, it will still receive the update normally.

Permalink to story:

 
It's Secure Boot, what chaos?
Secure Boot can create a Catch-22, whereby the secure boot environment (usually a TPM 2 chip) can be invalidated, because the certificate has expired. This means that the system believes that its security has either been breached or is no longer effective, which puts the secure environment in lock down even for its registered user. The working theory is, "Better to lose data, than for it fall into the wrong hands." Therefore, if security certificate expires, then even people authorized to access or handle the data will be unable to do so. On the other hand, if the security environment could never expire, then Secure Boot would just be a standard operation environment with added complication "just because".

Being unable to access your workstation, because of factors entirely outside of your control, is the text definition of chaos.
 
It's Secure Boot, what chaos?
Secure Boot can create a Catch-22, whereby the secure boot environment (usually a TPM 2 chip) can be invalidated, because the certificate has expired. This means that the system believes that its security has either been breached or is no longer effective, which puts the secure environment in lock down even for its registered user. The working theory is, "Better to lose data, than for it fall into the wrong hands." Therefore, if security certificate expires, then even people authorized to access or handle the data will be unable to do so. On the other hand, if the security environment could never expire, then Secure Boot would just be a standard operation environment with added complication "just because".

Being unable to access your workstation, because of factors entirely outside of your control, is the text definition of chaos.
 
I have yet to see a system update these certificates through Microsoft’s system updates. Most require the BIOS itself to be updated for support, and if not that, then I have had to boot into BIOS mode and load the certs manually into firmware via a USB storage device. Usual Microsoft lies about this being a simple process.
 
This could be problematic if motherboard manufacturers need to issue bios updates... They might prefer for people to buy new pcs. And in general they never issue updates after a year or so ...
 
"Windows Secure Boot certificates set to expire in June – here's what it means for your PC"

Nothing will happen when it expires... It continue to repel malwares...!
 
I have yet to see a system update these certificates through Microsoft’s system updates. Most require the BIOS itself to be updated for support, and if not that, then I have had to boot into BIOS mode and load the certs manually into firmware via a USB storage device. Usual Microsoft lies about this being a simple process.
This is true. Details: I have a "test PC," with windows 11 pro on it. It's old, but W11 compatable without tricks. Gigabyte UD1 Z390 with Core i5-9600k (9th gen 14nm), with an old GTX 1080. My CA was updated last month, but until I updated the BIOS MS would NOT have patch updated - the simple way. (As CrisisDog said, manually should be possible.)

What's sure is Zero help from the Slop unless the BIOS is "updated." It's stated on the Gigabyte Mobo page for this old Z390. (Quite possibly Z470/490 gen 10 CPUs - I didn't check cut off point. I guess it depends on the vendor if they update BIOS for CA for older Mobos?

Two things I do know. Not all manuf. are updating Z390 or Z370 mobo BIOS. In fact my previous 2021 was a custom BIOS release by Gigabyte years ago to add Above 4G Resizable bar for NV GPUs. Not really much use on my PC, but decent of GB to do that. Then around Oct or Nov last year they released a 2025 dated BIOS purely and only for CA cert. updates.

As Rock for instance haven't
( probably never? ) released a BIOS for older Z390 coffee lake CPU/Mobo. I have two top of the line, but older AsRock boards.

I emailed them last year about it. They did get back pretty quick, but said, at this time we have no plans to update BIOS for Z370 & Z390. They stopped updating BIOS in 2019, but like GB did offer a custom one for above 4G/Resizable bar for NV GPUs. That was also in 2021. Not peep from AsRock (except my email) on all Coffee lake era Mobo pages.

So anyone with a Z390 chipset should check on their vendors site. IF Gigabyte you are OK. Others???

Extra: My still testing W11pro has NO store. All Remote and Edge traversal blocked via power shell. Outlook gone. NO apps at all. About 60 GPO tweaks, all A.I removed manually (now there is a way with GPO) Browser LibreWolf. The list goes on, MS DO NOT approve! Amazingly it still offers security updates if I check manually. CA updated after I updated the BIOS.

The paragraph just above is irrelevant for most. I'm just seeing how far I can go before my W11pro totally breaks. No personal info on it. As an old PC with an old - everything, it's pretty quick now that my install size has GB of OS removed. Not recommended for for anything serious. It's just a fun project of mine as I detest W11, and MSlop.

BACK ON TOPIC. If you want secure boot updated CA on an older PC. Please check your mobo vendor site. No updated BIOS for CA and it's manual for you, or ignore it

I've never heard or read an article where someone was saved from infection by Secure boot. Plenty where AV including defender has caught Malware. Secure Boot sounds good in principle, but joking aside, I've never heard of it doing anything other than in rare cases locking people out of their PCs - somehow.

But if secure boot in the real world adds anything secure is a topic for another day, and another thread.

Finally, Yes MS lies about the simple process. Par for the course.
 
Last edited:
This could be problematic if motherboard manufacturers need to issue bios updates... They might prefer for people to buy new pcs. And in general they never issue updates after a year or so ...
Yes it seems so. Gigabyte may be the exception?
So Gigabyte, easy Win update update fot the CAs quickly without issue, after using their new BIOS.
If not Gigabyte, manually update CAs. Or simply ignore the dubious benefits of secure boot and keep on truck'in.

P.S. AsRock Do NOT offer new BIOS for Simple CA update. Gigabyte DO. Other vendors???
 
We need to stop normalizing microslop propaganda and PR. This article, probably unintentionally, is helping microslop spin lies about both secure boot and microslop as an entity.

We need to be calling them out and triple checking their every word.

Heck, if they even mention the word update, we need to quadruple check.

Microslop is INCAPABLE of being simple, straight forward, honest or competent.
 
Update: On my second PC which has an AsRock z370 Taichi mobo, with their latest BIOS (2021) and an Intel i7 8086k (Basically a binned i7 8700k) Running W10pro with extended sec. updates - I was pleasantly surprised to find ALL certificates fully updated with a message stating as much in the Windows security, secure boot settings.

I was curious so carefully went through my event viewer. It seems that over the course of 4 reboots it step by step updated them all. (CA, KEK etc.)

This is the first time I have had anything good to say about MS for years, literally, but well, they did it, seemlessly on a motherboard with an rather old chipset!

Extra: I installed the 2021 BIOS back in 2021. On the AsRock page for that mobo there is no mention of anything related to CA 2011 update to CA 2023 certs. I was resigned to doing it manually. Imagine my pleasant shock/surprise to find that MS update had already done it!
 
Back