The secure boot certificates (Secure Boot certificates) that Microsoft first made available in 2011 for Windows devices will expire next month. The company is currently rolling out new Secure Boot certificates to eligible devices and has warned that computers that haven't been updated with the latest firmware could become vulnerable to malware and boot-level threats.
In a live broadcast of Ask Microsoft Anything on YouTube, Microsoft Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Engineering Team Manager Richard Powell answered a series of questions about Secure Boot, its importance for Windows devices, how to update to the latest version, and what could happen if users don't.
Secure Boot is a Windows security feature designed to protect computers by preventing malicious software from loading during the boot process. It creates a “chain of trust” by verifying the digital signatures of all boot software, including UEFI firmware drivers, EFI applications, and the operating system itself. This ensures that the device only boots with software and services that the computer manufacturer trusts.
With the older 2011 Secure Boot certificates set to expire next month, Microsoft engineers revealed that the company has started rolling out the new UEFI CA 2023 certificates to all supported devices via Windows Update. They added that all Windows 11 devices manufactured since 2024 either have the new certificates or have already received the update.
Windows users with older devices can check compatibility in the Windows Security app. According to Microsoft, all supported devices will automatically receive the new keys, although some systems may require additional firmware updates from their respective OEMs.
Experts confirmed that devices that have not yet updated to the new certificates will continue to function normally and receive standard security updates. However, they will not be able to support newer security protections for the early boot process, which could leave them vulnerable to bootkits, firmware rootkits, and boot-sector viruses.
It should be noted that older devices using older BIOS firmware are not compatible with Secure Boot, so Windows will skip the update entirely. However, if a computer uses the Compatibility Support Module to emulate the older BIOS while still running modern Secure Boot-compatible UEFI firmware, it will receive the update as normal.
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
