Windows 11: Update Secure Boot Certificates to Avoid Security Risks | PCWorld
- Windows 11 users, particularly those with older systems, need to be aware of an impending update to the Secure Boot process.
- Secure Boot, a security feature built into Windows’ UEFI/BIOS, is designed to prevent malicious software from running during the system startup sequence.
- The need for this update stems from the natural expiration of the certificates used to establish this trust.
Windows 11 users, particularly those with older systems, need to be aware of an impending update to the Secure Boot process. Microsoft is actively rolling out new certificates to replace those expiring in , a change critical for maintaining system security and functionality. Without these updates, older PCs may become vulnerable to malware, unable to receive future updates, or experience issues trusting legitimate boot loaders.
Secure Boot, a security feature built into Windows’ UEFI/BIOS, is designed to prevent malicious software from running during the system startup sequence. It works by verifying the digital signatures of pre-boot software against a set of trusted certificates stored in the device’s firmware. This process ensures that only authorized software can load during boot, protecting against rootkits and other low-level threats.
The need for this update stems from the natural expiration of the certificates used to establish this trust. Microsoft first alerted the industry in that the current certificates would begin expiring in . The rollout of replacements is now underway, targeting systems running the 24H2 and 25H2 versions of Windows 11. On , Microsoft confirmed that these certificate updates will be delivered through the standard Windows Update process.
The impact of this expiration isn’t universal. According to Microsoft, devices manufactured before are most likely to be affected, as newer PCs generally ship with the latest certificates pre-installed. Crucially, the issue only affects users who have Secure Boot enabled. If a system is booting without Secure Boot, the expiring certificates will not cause any problems.
Users can easily check if Secure Boot is active on their system. By pressing Win + R, typing “msinfo32,” and opening the System Information window, they can locate the “Secure Boot Status” entry. A status of “On” indicates that Secure Boot is enabled and the system may require the updated certificates.
So, how can users ensure their systems are protected? Microsoft recommends installing the latest Windows quality updates. The company is monitoring the rollout, aiming for a “secure and gradual deployment” once a sufficient number of “successful update signals” are received. Enabling diagnostic data reporting to Microsoft can also help facilitate the update process.
For IT administrators managing larger deployments, Microsoft offers alternative methods for obtaining and deploying the Secure Boot certificates, including the use of specific registry keys or the Windows Configuration System (WinCS). Detailed guidance is available in Microsoft’s official documentation.
To proactively verify the status of the certificates currently in use, users with administrative privileges can utilize PowerShell. Running the command [System.Text.Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) will display the installed certificates. Ideally, the output should include at least one current certificate with a timestamp of 2023, such as MicrosoftUEFICertificateAuthority_2023.cer. Filtering the output with -match ‘Windows UEFI CA 2023’ will return True if the 2023 certificate is present.
Further verification can be performed by examining the Windows Registry. Navigating to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureBootServicing and checking the value of WindowsUEFICA2023Capable can confirm whether the 2023 certificate is available. A value of 0 indicates that the certificate is missing.
This certificate update is a critical, but largely invisible, component of Windows security. While most users will likely be updated automatically through Windows Update, proactively checking the status and ensuring the latest updates are installed is a prudent step to maintain a secure and functional system. The expiration of these certificates represents a potential vulnerability, and Microsoft’s proactive approach to replacement is a vital measure in protecting the Windows ecosystem.
