Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem (windows.com)
- Reference: 0180766606
- News link: https://tech.slashdot.org/story/26/02/10/1737251/microsoft-begins-the-first-ever-secure-boot-certificate-swap-across-windows-ecosystem
- Source link: https://blogs.windows.com/windowsexperience/2026/02/10/refreshing-the-root-of-trust-industry-collaboration-on-secure-boot-certificate-updates/
Secure Boot, which verifies that only trusted and digitally signed software runs before Windows loads, became a hardware requirement for Windows 11. A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024; nearly all devices shipped in 2025 include them by default. Older hardware is now receiving the updated certificates through Windows Update, starting last month's KB5074109 release for Windows 11. Devices that don't receive the new certificates before expiration will still function but enter what Microsoft calls a "degraded security state," unable to receive future boot-level protections and potentially facing compatibility issues down the line.
Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates. A small number of devices may also need a separate firmware update from their manufacturer before the Windows-delivered certificates can be applied.
[1] https://blogs.windows.com/windowsexperience/2026/02/10/refreshing-the-root-of-trust-industry-collaboration-on-secure-boot-certificate-updates/
Why not have people make their own keys? (Score:4, Insightful)
Secure boot is functionally useless if you're not using custom keys, what Microsoft should do is walk the user through the enrolment of custom keys, and discontinue their secure keys. The entire point of secure boot is that you sign the components with your source of truth. Microsoft holding keys for your boot environment means they control the source of the truth, which mean it's not true, and not a safe source. I understand this would be complex, and could be confusing, but it's essential.
This is another example of absolute trust, instead of zero trust, something Microsoft seems to get wrong constantly.
Re: (Score:3)
That would make it more cumbersome for the police to break into your computer.
Re: (Score:2)
That's also true, hence the Absolute trust vs Zero true.
Re: (Score:2)
The goal of "Secure Boot" is to ensure that Microsoft control your PC, not you. It's working as intended.
Re: (Score:2)
Yep, 100%, which is the same reason BitLocker is generally useless from a security perspective.
Re: (Score:2)
> Secure boot is functionally useless if you're not using custom keys
That's a load of shit. Key signing practices have varying benefits. It's not binary. It's not secure vs not. Based on your own description precisely nothing on the internet is secure because certificates are signed by not you.
Yes signing your own key would be the most secure, but in practice it is only marginally more secure than trusting a third party (such as a third party that already has low level access to your system via pushed updates) to keep their keys under control.
Re: (Score:2)
What on the internet is secure? Do you "trust" email? I would hope not, unless it's signed / encrypted with something like PGP. TLS doesn't really protect anything, any site can give you a TLS connection, but that doesn't mean you can baselessly trust it. Communications programs that have "end-to-end" encryption, they're not secure unless you hold the key, and so on. A lot of security is just "trust", and I'm placing that in quotes because it's not real trust, it's more hope, and belief some people are
Nothing is Secure as Hardware Write Disabled (Score:2)
Put the OS on a separate volume, Flick a switch: No write, fullstop. Want to update the OS, you flick the switch back to update to disable the write protect. Secure boot aside from Trusted Computing Platform 2.0--is the reason why millions of good computers are going out in front of peoples' houses to be taken to a landfill.
Re: (Score:2)
Let's be fair... They don't go to a landfill, they get shipped to India to be burned.
Re: (Score:2)
Bro, disabling write means disabling security patches and updates. Not very secure, is it?
Re: (Score:2)
> Bro, disabling write means disabling security patches and updates. Not very secure, is it?
Wow! You really nailed them! It's almost like they should have said something, like, I don't know, maybe:
>> Want to update the OS, you flick the switch back to update to disable the write protect.
Re: (Score:2)
Yeah, some of us used to do that with *NIX systems back in the day. Seperate /sbin and /usr volumes, mounted read-only, and various other volumes, like /home and /tmp, depending on the system use, set to not allow execution. You needed to be root to remount to read-write in order to install patches or updated binaries, then reboot to get back to the read-only mountings. Regular users were not capable of doing jack with the sensitive OS partitions, and most forms of attack were really, really, hard when y
Re: Nothing is Secure as Hardware Write Disabled (Score:2)
This is how industrial PLCs handle it: with a physical key. Almost any time you hear about some "hack" of a PLC, the fine print says someone must leave the key turned to program.
Disable secure boot? (Score:4, Interesting)
I have MS own laptop, which was gifted to me, and it allows me to disable secure boot in BIOS settings. It gives me angry red banner with unlocked lock, but other than that it does not prevent booting. Is that not an option on most hardware?
Re: (Score:2)
Yes it's always an option. There's rarely a reason to enable it unless your workplace forces it on.
Re: (Score:1)
You got that completely backwards. There's no reason to disable it unless you're running an unsigned boot process (e.g. dual booting with Linux without bothering to setup secure boot, or regularly trying to boot systems from USB sticks). There's literally no downside to the end user and only increased security.
Re: (Score:2)
> Is that not an option on most hardware?
It is a *required* option of any BIOS on a device sold with Windows Hardware Certification (on x86). Microsoft does not enforce it for ARM devices. Even Microsoft first party devices like Surface Laptops allow you to disable secure boot.
Re: (Score:2)
> I have MS own laptop, which was gifted to me, and it allows me to disable secure boot in BIOS settings. It gives me angry red banner with unlocked lock, but other than that it does not prevent booting. Is that not an option on most hardware?
Disabling secure boot is an option on most hardware, however, there are some applications/features that will not fully operate if secure boot is not enabled, and that includes some multi-player games.
Re: (Score:2)
> and that includes some multi-player games.
I've ran into this, sucks so bad, I have to give in to this kind of crap for kids to play w/ their friends otherwise they get left out of friendships.
All this "security" isn't anything other than forced obsolescence. (in all its forms, from phones, etc)
Re: (Score:2)
You also don't need to disable secure boot. The certificates are used to sign the bootloader. The system will continue to boot just fine, it just may have problems if something changes on the bootload, ... which won't happen because you aren't getting updates. And if you are getting updates one will give you a new certificate.
This is a nothing burger for the end user, other than their systems will have secure boot sitting in a somewhat compromised state.
Bullshit (Score:5, Insightful)
Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates.
Microsoft should be required to provide a certificate without any restriction. How many tens of millions of computers still run W10? Forcing people to enroll in something just to get a required update should be an automatic penalty.
Re: (Score:1)
lol we're waaayyy past that, big guy
Re: (Score:2)
It's a bit of a moot point. Systems that aren't receiving general OS updates wouldn't receive updated bootloaders anyhow. So they wouldn't need the updated certificates that allow for bootloaders signed after June 2026.
It gets a bit tautological, but only systems that are getting updates need updates.
Re: Bullshit (Score:2)
I think that your completely correct point is lost on most people. They don't realize that a signature is valid if the certificate was valid at the time of signing, not that the certificate must be valid for the life of the universe.
Re: (Score:2)
No one is forced to enrol in anything. Windows 10 is no longer secure. Simply disable secure boot in the BIOS and move on with your life. You're not getting anything running secure boot on a system which isn't receiving basic security updates anymore.
Re: (Score:2)
Actually I was wrong in my other post. Not only are you not forced to enrol in anything, you also don't need to disable secure boot. Nothing changes for the end user. Either you get updates, which updates the certs. Or you don't get updates, in which case there's nothing that would change the bootloader (which remains signed and bootable).
Secure boot is optional for all people affected and their systems will continue to boot just fine even with it on.
new way (Score:2)
New way to own a brick.
Linux distros work with Secure Boot (Score:2)
At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...
Re: (Score:2)
> At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...
LInux (if your distro has fwupd installed and enabled to offer the update) has been offering to install some of the new certs for a while now.
At least one distro has had a test day to validate that it is possible to sign their boot loader with various combinations of the old/new keys. I expect additional testing across the Linux distro eco-system (as some hardware is just so interesting).
Many manufacturers (that still support your hardware) will be issuing new bios firmware that also include the newer
Re: (Score:2)
I have about 70 machines (Dell) I'll need to take care of. AlmaLinux supports fwupd, but for whatever reason (at least on my test box) fwupdmgr keeps telling me there's no available firmware, which is demonstrably incorrect. We do have a password set on the firmware, so I've been assuming that is the issue and I'm gonna need to visit every machine with a USB stick.
Re: (Score:2)
> At least, they do NOW. Let's see if Microsoft breaks things for Linux as part of this update...
Your post is dumber than usual. This is literally the point Microsoft is making, they are updating the Microsoft UEFI CA cert which is used for example to sign Linux bootloaders, and the Key Exchange Key which allows modifying the database of allowed signatures to enable Linux secure boot.
Nothing else about the way Linux keys are signed changes. Nothing about secure boot allowing a user to use their own keys changes (Microsoft's only involvement in Linux is allowing Linux to boot with an MS shim, that's not
Re: Linux distros work with Secure Boot (Score:1)
I updated my BIOS yesterday, in the BIOS I had to switch shit off, CSM, SVM, or some variety of acronyms, not sure, was already several puffs in, secure boot included, and then proceeded to install Fedora. After a reboot I switched shit back on, and Gnome Software helpfully asked to install two certificate thingies, my memory was even hazier by this stage...
Handy reminder! (Score:3)
That reminds me that I need to check the security system on my henhouse which ensures that _only_ foxes, and no other predator has 24h access.
Re:certificates expiring..... (Score:4)
Because it is really invasive and has an ability to brick systems and the people responsible for doing it are low wage idiots and AI, overseen by Microsoft a company that has screwed up more than anyone thought possible.
I mean, maybe it will go fine, but it is current year Microsoft and ...
Well, that rules out anything from Microsoft ... (Score:1)
"only trusted and digitally signed software runs before Windows loads"
Re: (Score:2)
Nothing will be "bricked". You would simply have to reinstall the OS.
Re: (Score:2)
for a very large number of Windows users that's a distinction without a difference
Re: (Score:2)
You don't have to do anything. The certificate used to sign the boot process is expiring. That doesn't make your computer unbootable, it means you can't sign new boot certificates or update the revocation database. Actually reinstalling the OS may be a problem, but using your computer as normal is not.
Re: (Score:2)
It does not. Secure boot is entirely within the users control. At the most it may cause a boot failure and a quick google will direct any idiot to a solution.
Re: (Score:2)
To add to this, this certificate expiry issue will not cause computers to fail to boot. It will cause the inability to sign a new or changed boot process... something which only happens if the bootloader is changed by an OS update. Not only is nothing bricked, the end user is unlikely to notice anything changed.
Well normally they're dirtbags (Score:3)
They love forcing customers do whatever microsoft wants because that's how they get off. This would have been a great way to force hardware upgrades at gunpoint. So it really makes you wonder, what's their real motive here.