Forgot your password?
Close
typodupeerror
Windows Microsoft IT

Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem (windows.com) 91

Posted by msmash from the reboot-your-root-of-trust dept.
Microsoft has begun automatically replacing the original Secure Boot security certificates on Windows devices through regular monthly updates, a necessary move given that the 15-year-old certificates first issued in 2011 are set to expire between late June and October 2026.

Secure Boot, which verifies that only trusted and digitally signed software runs before Windows loads, became a hardware requirement for Windows 11. A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024; nearly all devices shipped in 2025 include them by default. Older hardware is now receiving the updated certificates through Windows Update, starting last month's KB5074109 release for Windows 11. Devices that don't receive the new certificates before expiration will still function but enter what Microsoft calls a "degraded security state," unable to receive future boot-level protections and potentially facing compatibility issues down the line.

Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates. A small number of devices may also need a separate firmware update from their manufacturer before the Windows-delivered certificates can be applied.
This discussion has been archived. No new comments can be posted.

Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem More

Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem

Comments Filter:

  • Why not have people make their own keys? (Score:5, Insightful)

    by Murdoch5 ( 1563847 ) on Tuesday February 10, 2026 @02:13PM (#65980458) Homepage
    Secure boot is functionally useless if you're not using custom keys, what Microsoft should do is walk the user through the enrolment of custom keys, and discontinue their secure keys. The entire point of secure boot is that you sign the components with your source of truth. Microsoft holding keys for your boot environment means they control the source of the truth, which mean it's not true, and not a safe source. I understand this would be complex, and could be confusing, but it's essential.

    This is another example of absolute trust, instead of zero trust, something Microsoft seems to get wrong constantly.

    • Re:Why not have people make their own keys? (Score:5, Insightful)

      by Valgrus Thunderaxe ( 8769977 ) on Tuesday February 10, 2026 @02:31PM (#65980506)
      That would make it more cumbersome for the police to break into your computer.

    • Re: (Score:3)

      by 0123456 ( 636235 )

      The goal of "Secure Boot" is to ensure that Microsoft control your PC, not you. It's working as intended.

    • Secure boot is functionally useless if you're not using custom keys

      That's a load of shit. Key signing practices have varying benefits. It's not binary. It's not secure vs not. Based on your own description precisely nothing on the internet is secure because certificates are signed by not you.

      Yes signing your own key would be the most secure, but in practice it is only marginally more secure than trusting a third party (such as a third party that already has low level access to your system via pushed updates) to keep their keys under control.

      • What on the internet is secure? Do you "trust" email? I would hope not, unless it's signed / encrypted with something like PGP. TLS doesn't really protect anything, any site can give you a TLS connection, but that doesn't mean you can baselessly trust it. Communications programs that have "end-to-end" encryption, they're not secure unless you hold the key, and so on. A lot of security is just "trust", and I'm placing that in quotes because it's not real trust, it's more hope, and belief some people are

        • Real security, real zero-trust, means you're absolutely prevented from being able to peak. It means you remove the reliance on faith, hope and belief. I know I'm sounding like Stallman right now, and I don't mean to, but the reality is some stupidly massive amount of daily everything is not secure. Even if you can make your own keys, are they actually trustworthy? Can you be sure that no other keys exist to bypass your keys?

          I do consider this black and white, either you're secure or you're not. If it doesn't matter, that's fine, but with something like secure boot, where the entire purpose is unshaken validation with zero trust, you better bet I'm going to insist the keys are self-generated.

          I wish the term "zero trust" would just go away. It is an oxymoron that only confuses people.

        • Again you used the word secure. Secure isn't a thing. It's a sliding scale. Secure Boot moves you along that scale, so does TLS, so does putting a password on your Windows PC, so does having a firewall.

          None of this is perfect, your "real security" doesn't exist, but that doesn't make any of it functionally useless.

          • Security is a sliding scale, but why isn't Microsoft being honest? They're operating at the low security end of the scale, and they should be willing to stand behind that with pride. Good security can exist, just demand it.
          • Sorry, I should be more clear, when I said it was black and white, I still mean that. With something like secure boot, email, communication, it's black and white. You can't have someone else control it for you, and think it's safe.

      • That's a load of shit. Key signing practices have varying benefits. It's not binary. It's not secure vs not. Based on your own description precisely nothing on the internet is secure because certificates are signed by not you.

        It is hard to argue with the proposition nothing is secure without managing trust yourself. The Internet's system of global trust anchors exist to prevent MITM attacks on peers.

        Yet anyone in a position to perform such an attack can easily (often for free) get any of those same anchors to provide them with the very keys required to persistently compromise those peers. The system is total madness. Here secure boot is such a massive house of cards security is effectively a fools errand.

        Yes signing your own key would be the most secure, but in practice it is only marginally more secure than trusting a third party (such as a third party that already has low level access to your system via pushed updates) to keep their keys under control.

        You are not just trus

    • "what Microsoft should do is walk the user through the enrolment of custom keys,"

      The 90th percentile Slashdot user is not competent to enroll custom keys. Are you going to pay the support costs if that's foisted on normal people?

      • I would think 99% of computer users don't know how to enrol keys, but unless you make custom keys, just disable secure boot, it's functionally useless if you don't.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Secure Boot has been one of the most effective security tools that Microsoft has ever released. Before Secure Boot, it was common for malware to simple hook into low level drivers for IDE and SATA, so that even the OS couldn't see the malware on disk and it could install itself during the early part of the boot process. The only way to get rid of it was to boot a Linux CD with AV software, assuming your system was not encrypted, and of course that was way beyond most people.

      Secure Boot put a stop to that, a

      • That's fine, and secure boot has a place, but only if you use custom keys. I'm not discussing if secure boot is good or bad, simply the key management is up to the user, not the vendor.
  • Put the OS on a separate volume, Flick a switch: No write, fullstop. Want to update the OS, you flick the switch back to update to disable the write protect. Secure boot aside from Trusted Computing Platform 2.0--is the reason why millions of good computers are going out in front of peoples' houses to be taken to a landfill.

    • Let's be fair... They don't go to a landfill, they get shipped to India to be burned.

    • Re: (Score:2)

      by boa ( 96754 )

      Bro, disabling write means disabling security patches and updates. Not very secure, is it?

      • Re: (Score:2)

        by unrtst ( 777550 )

        Bro, disabling write means disabling security patches and updates. Not very secure, is it?

        Wow! You really nailed them! It's almost like they should have said something, like, I don't know, maybe:

        Want to update the OS, you flick the switch back to update to disable the write protect.

    • Re: (Score:3)

      by Zocalo ( 252965 )
      Yeah, some of us used to do that with *NIX systems back in the day. Seperate /sbin and /usr volumes, mounted read-only, and various other volumes, like /home and /tmp, depending on the system use, set to not allow execution. You needed to be root to remount to read-write in order to install patches or updated binaries, then reboot to get back to the read-only mountings. Regular users were not capable of doing jack with the sensitive OS partitions, and most forms of attack were really, really, hard when y

    • This is how industrial PLCs handle it: with a physical key. Almost any time you hear about some "hack" of a PLC, the fine print says someone must leave the key turned to program.

    • This is exactly how I boot my computer.
      In Windows I:
      - Insert write-protected VeraCrypt recovery USB stick into USB
      - Boot and hit F12
      - Select the stick as the device to boot from, when VeraCrypt's recovery appears, I select to boot from the stick's copy of the EFI bootloader.
      - Enter my Windows VeraCrypt partition password, and only when that processes can the bootloader even see my Windows drive, which can't really be tampered with because it's encrypted.

      In Windows, the EFI bootloader doesn't change except i

    • Re: (Score:2)

      by ledow ( 319597 )

      I was saying this when UAC was a thing.

      If you want me to do something to the OS, rather than to my user account, make me flick a switch to do it, which puts the computer in an entirely different mode.

      Now the only virus that can infect my bootloader is one that I actively participate in installing.

      Multi-user computer? The switch is a key.

  • Disable secure boot? (Score:5, Insightful)

    by sinij ( 911942 ) on Tuesday February 10, 2026 @02:24PM (#65980488)
    I have MS own laptop, which was gifted to me, and it allows me to disable secure boot in BIOS settings. It gives me angry red banner with unlocked lock, but other than that it does not prevent booting. Is that not an option on most hardware?

    • Yes it's always an option. There's rarely a reason to enable it unless your workplace forces it on.

      • You got that completely backwards. There's no reason to disable it unless you're running an unsigned boot process (e.g. dual booting with Linux without bothering to setup secure boot, or regularly trying to boot systems from USB sticks). There's literally no downside to the end user and only increased security.

      • Re: (Score:2)

        by gweihir ( 88907 )

        Indeed. It is basically worthless for security, all it does is cause problems.

    • Is that not an option on most hardware?

      It is a *required* option of any BIOS on a device sold with Windows Hardware Certification (on x86). Microsoft does not enforce it for ARM devices. Even Microsoft first party devices like Surface Laptops allow you to disable secure boot.

    • I have MS own laptop, which was gifted to me, and it allows me to disable secure boot in BIOS settings. It gives me angry red banner with unlocked lock, but other than that it does not prevent booting. Is that not an option on most hardware?

      Disabling secure boot is an option on most hardware, however, there are some applications/features that will not fully operate if secure boot is not enabled, and that includes some multi-player games.

      • Re: (Score:2)

        by G00F ( 241765 )

        and that includes some multi-player games.

        I've ran into this, sucks so bad, I have to give in to this kind of crap for kids to play w/ their friends otherwise they get left out of friendships.

        All this "security" isn't anything other than forced obsolescence. (in all its forms, from phones, etc)

        • Re: (Score:2)

          by gweihir ( 88907 )

          All this "security" isn't anything other than forced obsolescence. (in all its forms, from phones, etc)

          Yes. And DRM. Not made to help you or protect you.

        • If it takes forced obsolescence to protect idiots from themselves then maybe it's a good thing.

      • dont buy that garbage theirs no no reason for games to be using tpm other then locking you into windows.

    • You also don't need to disable secure boot. The certificates are used to sign the bootloader. The system will continue to boot just fine, it just may have problems if something changes on the bootload, ... which won't happen because you aren't getting updates. And if you are getting updates one will give you a new certificate.

      This is a nothing burger for the end user, other than their systems will have secure boot sitting in a somewhat compromised state.

    • Strictly speaking TPM hardware is not required for Windows 11 to install or operate, and secure boot isn't either. You just have to bypass/ignore all the warnings.

      All this leaves you without secure boot as an added bonus, so no downsides.

      • Re: (Score:2)

        by gweihir ( 88907 )

        Or you install and then turn TPM off.

        The one place I have it on is on my teaching laptop, because I have exams and grades on there and hence BitLocker. But if BigBlueButton works (trying this semester), I can get off Teams and move that machine to Linux. I finally eliminated PowerPoint end of last year (LibreOffice and LaTeX for slides now).

      • All this leaves you without secure boot as an added bonus, so no downsides.

        Yeah except no signed boot process, so possibility for reboot persistent malware, failure for some anti-cheat systems to work so some games don't work. Your Windows Hello key stored on device insecurely, the inability to apply automated full disk encryption...

        The really stupid part about all of this is that there are no downsides to some part of this discussion. There are no downsides to having TPM and SecureBoot enabled. It does provide a meaningful benefit, and anything that actively uses it nefariously a

        • The downside: your machine failing to boot when the motherboard battery goes dead. Been there, got that.
          Battery went dead and the machine promptly forgot all the keys. Now I can fix that, but the average person can not.

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      In fact part of the Secure Boot standard is that it must be possible to disable it, and it must be possible to install your own Secure Boot keys.

      Microsoft also made keys for signing Linux kernels available, if you want to use Secure Boot with that and with the default keys. Of course, you can use your own keys as well.

  • Bullshit (Score:5, Insightful)

    by quonset ( 4839537 ) on Tuesday February 10, 2026 @02:29PM (#65980500)

    Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates.

    Microsoft should be required to provide a certificate without any restriction. How many tens of millions of computers still run W10? Forcing people to enroll in something just to get a required update should be an automatic penalty.

    • Re: (Score:1)

      by Anonymous Coward

      lol we're waaayyy past that, big guy

    • It's a bit of a moot point. Systems that aren't receiving general OS updates wouldn't receive updated bootloaders anyhow. So they wouldn't need the updated certificates that allow for bootloaders signed after June 2026.

      It gets a bit tautological, but only systems that are getting updates need updates.

      • I think that your completely correct point is lost on most people. They don't realize that a signature is valid if the certificate was valid at the time of signing, not that the certificate must be valid for the life of the universe.

    • No one is forced to enrol in anything. Windows 10 is no longer secure. Simply disable secure boot in the BIOS and move on with your life. You're not getting anything running secure boot on a system which isn't receiving basic security updates anymore.

    • Actually I was wrong in my other post. Not only are you not forced to enrol in anything, you also don't need to disable secure boot. Nothing changes for the end user. Either you get updates, which updates the certs. Or you don't get updates, in which case there's nothing that would change the bootloader (which remains signed and bootable).

      Secure boot is optional for all people affected and their systems will continue to boot just fine even with it on.

    • This is a corporate stupidity tax that has blowback on consumers. It works like this:
      - A lot of corporate clients require certified/"blessed" stacks
      - They have legacy software that doesn't support Windows 11 so they have to use Windows 10.
      - Microsoft (Oracle/IBM/etc) sales staff figures out how much cost they'll tolerate before they move to something else
      - They then charge you $0.01 below that.
      When Y2K was a thing we still had some o.g. NT 3.x (I think 3.1) servers running. IT refused to update them

  • New way to own a brick.

  • At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...

    • At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...

      LInux (if your distro has fwupd installed and enabled to offer the update) has been offering to install some of the new certs for a while now.

      At least one distro has had a test day to validate that it is possible to sign their boot loader with various combinations of the old/new keys. I expect additional testing across the Linux distro eco-system (as some hardware is just so interesting).

      Many manufacturers (that still support your hardware) will be issuing new bios firmware that also include the newer

      • I have about 70 machines (Dell) I'll need to take care of. AlmaLinux supports fwupd, but for whatever reason (at least on my test box) fwupdmgr keeps telling me there's no available firmware, which is demonstrably incorrect. We do have a password set on the firmware, so I've been assuming that is the issue and I'm gonna need to visit every machine with a USB stick.

    • At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...

      Your post is dumber than usual. This is literally the point Microsoft is making, they are updating the Microsoft UEFI CA cert which is used for example to sign Linux bootloaders, and the Key Exchange Key which allows modifying the database of allowed signatures to enable Linux secure boot.

      Nothing else about the way Linux keys are signed changes. Nothing about secure boot allowing a user to use their own keys changes (Microsoft's only involvement in Linux is allowing Linux to boot with an MS shim, that's not

      • I updated my BIOS yesterday, in the BIOS I had to switch shit off, CSM, SVM, or some variety of acronyms, not sure, was already several puffs in, secure boot included, and then proceeded to install Fedora. After a reboot I switched shit back on, and Gnome Software helpfully asked to install two certificate thingies, my memory was even hazier by this stage...

        • You probably meant switching it on. CSM is the compatibility support module. Enabling this disables secure boot which for the purpose of installing Linux would allow you to boot any ol' bootable media. Once your system is installed one of two things happen, either you manually have to load the new Key Exchange Key and Cert into the UEFI, or the easier option (the one that many people will use, and anyone who is dual booting will be forced to use) is have the installer automatically load a Machine Operator K

  • Handy reminder! (Score:5, Funny)

    by zmollusc ( 763634 ) on Tuesday February 10, 2026 @03:28PM (#65980652)

    That reminds me that I need to check the security system on my henhouse which ensures that _only_ foxes, and no other predator has 24h access.

  • Or is it only CA certificates that can only be loaded directly from Microosft.com?

  • All it does is cause problems. DRM, not "security"...

    • Oh you're so clever. Let me guess you don't use passwords either because you're at risk of forgetting them.

      Hint: DRM is in someone else's control. Secure boot is in yours. You can load whatever key you want into BIOS. It's your security system to use the way you want. Or you can take the stupidest approach and just turn it off.

      By the way this is causing problems for zero people. Linux users are using their own keys. Windows users will have new certificates issued. And Windows users who don't get updates and

      • You can load whatever key you want into BIOS

        That is what the discussion is about. It is not the user who loads they key, but Microsoft.

  • "Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates. "

    Holding your system to ransom. You never really thought it was "your" PC, did you?

    • Re: (Score:2)

      by ledow ( 319597 )

      This is why I bought a Framework laptop.

      I'm pretty confident that, if it came to it, the BIOS would let me enter a "Linux" UEFI key of my choosing, not just be locked to the Microsoft ones.

      As it is, it barely matters as the machine only runs Linux anyway, and I don't have a single Windows machine in my house as of Christmas.

      I wonder if that had anything to do with Windows 11, Microsoft enshittification, etc. etc. etc. etc.?

  • Serious question here. Let's say I have an offline computer for whatever reason that can't connect to the internet, or maybe I have a legacy Windows 10 computer that can't get extended updates. What happens after June / October 2026? Can the machine still boot? Or does it become an expensive paperweight?

    This reminds me of the way root certificates are managed on Android devices. Stopping system updates makes the device basically unusable after a few years because the root certificates are not updated anymor

  • A certificate that expires late june should have been renewed a year ago. I already see the cases of computers that were off for a long time or just failed updates with little time to fix before the certificate expires. I wonder if you can turn back the clock or if secure boot has measures against that.

Slashdot Top Deals

186,000 Miles per Second. It's not just a good idea. IT'S THE LAW.

Close