Microsoft's Started Updating Secure Boot Certificates

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

Microsoft's Started Updating Secure Boot Certificates

(4 posts) (1 voice)

Started 1 month ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

bleepingcomputer[.]com/news/security/microsoft-rolls-out-new-secure-boot-certificates-for-windows-devices/

support.microsoft[.]com/en-us/topic/january-13-2026-kb5074109-os-builds-26200-7623-and-26100-7623-3ec427dd-6fc4-4c32-a471-83504dd081cb#:~:text=%5BSecure%20Boot%5D%C2%A0Starting%20with%20this%20update

"Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment."

Note: Microsoft *may* be doing one of their preferred staggered rollouts, e.g., with the new Start Menu, which this week *Finally* showed up on a couple of copies of Win11 [they're the only ones so far]. Or, it *may* be that this update can cause problems on some incompatible devices. The BIOS, which manages Secure Boot, is a finicky thing, and FWIW, a messed up BIOS can brick the device.

That potential warning out of the way, here are the basics of Secure Boot... The BIOS chip on the main circuit board [motherboard] for a PC/laptop/tablet is sort of the device's brain; it manages all the various components and gets them working together. When you turn a PC on the BIOS does a quick roll call of all the attached components, drives etc., then runs the boot loader on the hard disk/SSD, which in turn starts the operating system [OS]. If the BIOS is set up to use the UEFI standard [most are], and if secure boot is enabled [usually is], the BIOS will compare the boot loader with a certificate that's stored in the BIOS. If it matches you're good to go, and if it does not, you'll get an error message and things come promptly to a stop.

The reason Microsoft is rolling out this updated certificate is that the old one, UEFI CA 2011, expires in June, 2026. Once it expires, if the newer certificate, UEFI CA 2023, isn't in place, *in theory* the BIOS should prevent the boot loader & OS from starting. The *In Theory* part is because generally loads of manufacturers and coders don't follow all of the rules. If your job was writing programming for various BIOS chips, and you wanted to skip out early for the weekend, what better task to skip than something that wouldn't be caught for 3-4 years down the road? Some devices will continue to work with secure boot and an expired certificate -- just another example that secure boot is Not infallible.

The easiest path forward is to do nothing... If come July your PC won't start Windows, just go into the BIOS settings and disable Secure Boot. It's generally considered better to have secure boot on than off, but secure boot itself is Very far from infallible, so you're not taking some huge risk by having it turned off. That said, there are a couple of potential Gotchas... while it's accepted practice to have a hot key enabled that will bring up the BIOS settings menus -- you press that hot key, usually Delete or F2, repeatedly after starting the PC from a powered off state -- there are probably PCs/laptops/tablets that do not use a hot key to get into the BIOS settings. If the only way you can get into the BIOS settings is by using an option in Windows Settings, if Windows won't start, you're sunk. The 2nd gotcha is that again while it's common practice, there's nothing forcing the people who write BIOS programming code to include the option to turn secure boot off. I *think* both of those situations are rare, but Not impossible. If the device was made before 2024, and hasn't had a BIOS update in 2024 or later, it would IMHO be worth checking to see if a BIOS update is available, and making sure you can get into the BIOS settings & turn off secure boot. If nothing else you can always Google using the make & model of your device.

There is a command you can use in PowerShell to see if your device has the UEFI CA 2023 certificate -- right click the Start Button, click Terminal (Admin), if it doesn't say PowerShell at the top left, click the down arrow to open a new PowerShell tab.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

Microsoft has also published the following test info: support.microsoft[.]com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

When testing individual devices to ensure that the devices will process the updates correctly, the registry keys can be a straightforward way to test.

To test, run each of the following commands separately from an administrator PowerShell prompt:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" Manually reboot the system when the AvailableUpdates becomes 0x4100
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

The first command initiates the certificate and boot manager deployment on the device. The second command causes the task that processes the AvailableUpdates registry key to run right away. Normally the task runs every 12 hours. The registry key should quickly change to 0x4100. Rebooting and running task again will cause the boot manager to be updated and the AvailableUpdates to become 0x4000.

I ran that series of commands, including reboot, on our laptop dating from ~2016, and then ran the command to check for UEFI CA 2023, and it was there, had been updated. With my VirtualBox Win11 VM using secure boot it did not work.

Posted 1 month ago #
mikiem2
Moderator

In a related note, once the old certificate expires, you have the new one in place, and are still using secure boot, any bootable USB sticks/drives that have not been updated to work with the new certificate will not boot unless they're modified or secure boot is disabled. I expect [hope ;) ] that it will be a simple matter of copying some files from Windows onto those USB sticks/drives, but we'll have to wait and see.

Posted 1 month ago #
mikiem2
Moderator

FWIW, because I was curious... the files for the secure boot update are dated in September, so were probably added with October's patch. Files were updated for the boot loader on the hidden FAT32 partition, in C:\ Windows\ Boot\ EFI\, and the Secure-Boot-Update task was added to the hidden PI folder in Windows. The 2023 certificate was not added, or at least not activated at that time, and assuming recent BIOS firmware updates included the new certificate, it was not activated with the new firmware either -- it only shows up after running the PowerShell commands Microsoft listed as a test.

Posted 4 weeks ago #
mikiem2
Moderator

Microsoft has clarified things since announcing their update plans last month. The BIG news is that if a PC/laptop doesn't get the update, nothing happens, at all.

When the news of the updates first hit, every article & post talked about not being able to boot into Windows with secure boot enabled without the update, and now they've been updated to reflect the latest news out of Microsoft [except Ed Bott's re-posted article]. So, come July 2026, if your device doesn't get the update, and still uses the 2011 secure boot certificate, it will keep on using it, and you won't notice any changes. The only effect will be that it will be less secure than devices using the 2023 certificate.

There is still a Lot that's so far unknown. Many of the Microsoft pages that talk about the secure boot certificate update have a link to the page detailing their multi-year project to harden Windows boot loader. Their docs include this: "Updating the Secure Boot Certificates enables a future update to the 2023 Boot Manager, which is more Secure. Specific updates on Boot Manager will be in future releases." but don't go into detail about that 2023 Boot Manager.

With the February Windows update Microsoft is collecting more data from individual devices -- between now and July 2026 they will target those devices that they feel confident will be compatible with the update. This shows up in the registry here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing]\"ConfidenceLevel"=

The secure boot update is designed to use several sequential tasks, and if one fails, the update process halts. The update updates the device's BIOS, so *Hopefully* the way they've got this designed will prevent incompatible BIOS from breaking, but, I imagine that if Microsoft was really confident about that they wouldn't be going through the trouble to qualify which devices get the update. And no doubt some compatible PCs/laptops will not get the update -- it's up to the user to monitor whether the secure boot update's applied or not, and optionally run the test in my first post. Note that, FWIW, there's probably no way to tell if the BIOS itself has the newer 2023 secure boot certificate -- the secure boot menu in the BIOS settings *may* show that, but IMHO probably not. The PowerShell command to check if the newer certificate has been added just checks the certificate on the boot partition.

I read one post regarding a theoretical edge case... if a BIOS was updated after the secure boot update, and that BIOS update did not contain the newer certificate, what happens? I'd guess the same might apply after a BIOS settings reset. Note: many BIOS will automatically reset after a crash if the BIOS detects the crash likely resulted from system instability, e.g., if someone overreached over clocking.

Posted 4 days ago #

RSS feed for this topic

Reply

You must log in to post.