Act now: Secure Boot certificates expire in June 2026



 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Last edited:
Click to expand...
I only have Microsoft Windows Production PCA 2011 installed under the folder below in certmgr. I assume I don't need to do anything and all will be updated via Windows Update.

1751004107715.webp
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
MS is referring to certs in the UEFI firmware, and not to the ones in the Windows Certificate Store.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
MS is referring to certs in the UEFI firmware, and not to the ones in the Windows Certificate Store.
Click to expand...
How do you find out what is installed?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
Steve C said:
How do you find out what is installed?
Click to expand...
Strangely enough, MS hasn't released a simple tool or script to report the certs. They provide you instructions on how to check the boot files for which version of the certificates signed the files. But that is not the same as knowing your UEFI's certs.

Run the PowerShell script, as the Admin user:
Did you manually update your Secure Boot Keys ?

It will report what PCA certs you have in both the DB (allow list) and DBX (banned list) databases. If you don't see PCA 2023 listed, then you can either follow MS's update instructions now or wait until Windows forces the transition (early next year?).
 

My Computer

System One

  • OS
    Windows 7

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 Beta Insider Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC - Headphone Amplifier: Cambridge Audio DACMagic200M
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 25.5.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2894
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam
@Marcus Vinicus

I am sorry to advise but just to check: Unless you put PCA 2011 certificate under EFI DBX Certificates section and ban it from EFI Files section, you may still be vulnerable. PCA 2011 certificate will still be effective for outside intruders unless you ban it.

You must have seen this in your Check_EFIBootFile.ps1 output:

DBX_UPDATE.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro build 26200.5651 (Dev)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-4790
    Motherboard
    Asus H97 Pro Gamer with add-on TPM1.2 module
    Memory
    Teams DDR3-1600
    Graphics Card(s)
    MSI Nvidia GeForce GTX 1050Ti
    Sound Card
    Realtek ALC1150
    Monitor(s) Displays
    LG Flatron E2250
    Screen Resolution
    1920 by 1080 pixels
    Hard Drives
    Crucial NVMe PCIe M2 500 GB (Windows 11 v.24H2); Samsung SSD Evo 870 500 GB (Windows 11 v.24H2);
    PSU
    Corsair HX850
    Case
    Gigabyte Solo 210
    Cooling
    Zalman CNPS7X Tower
    Keyboard
    Microsoft AIO Wireless (includes touchpad)
    Mouse
    HP S1000 Plus Wireless
    Internet Speed
    200 Mb fiber optic
    Browser
    Chrome; MS Edge
    Antivirus
    Windows Defender
  • Operating System
    MacOS 12 Monterey
    Computer type
    Laptop
    Manufacturer/Model
    Apple Macbook Air
    CPU
    Intel Core i5
    Memory
    8 GB
    Graphics card(s)
    Intel integrated
    Screen Resolution
    1440 by 900 pixels
    Hard Drives
    128 GB
    Keyboard
    Built-in
    Mouse
    Microsoft Wireless
    Internet Speed
    802.11 ac
    Browser
    Chrome; Safari
    Antivirus
    N/A

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 Beta Insider Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC - Headphone Amplifier: Cambridge Audio DACMagic200M
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 25.5.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2894
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam
For the record, this issue only affects enterprise users, common users will not be affected.
 

My Computer

System One

  • OS
    Windows 11 Home Insider Canary
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.25 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NextDNS blocking 95% TLDs
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
TairikuOkami said:
For the record, this issue only affects enterprise users, common users will not be affected.
Click to expand...

Would be really odd if it did (Microsoft expecting average Windows users to figure out how to do this manually), without - being included in a Windows update.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
TairikuOkami said:
For the record, this issue only affects enterprise users, common users will not be affected.
Click to expand...
Good to know, because I already was puzzling how I should do this without risks my PC would not function afterwards...
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 26100.3915
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    Windows Defender
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
I am curious, this Securre Boot Cert update seems to be related to the user's provision of Telemetry. How would supression of reported telemetry affect a user's ability to get these new certs? I've implemented the redirection of user-reported telemetry to "NULL" or 0.0.0.0 by using "Windows Shutup10++ at O&O ShutUp10++ - O&O Software GmbH . More info on this can be found at:
.

Any thoughts on this?

Jabiru
 

My Computer

System One

  • OS
    Host: Windows 11 Pro (24H2)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom User Build
    CPU
    AMD Ryzen 9 7945HX
    Motherboard
    Minisforum BD795i SE
    Memory
    2X 16GB DDR5-5200MTs (32GB)
    Graphics Card(s)
    AMD Radeon Pro WX5100 Workstation
    Sound Card
    Integrated AMD High Definition Audio CODEC
    Monitor(s) Displays
    2X LG 32UN880-A
    Screen Resolution
    3840x2160
    Hard Drives
    2X NVMe 1TB SSDs
    PSU
    Corsair SF450
    Case
    Fractal Design Terra
    Cooling
    Noctua FS-A12
    Keyboard
    Logitech K270 KB/Mouse Combo
    Mouse
    Logitech K270 KB/Mouse Combo
    Internet Speed
    800Mb
    Browser
    Firefox, Edge, Edge Chromium
    Antivirus
    MalwareBytes, MS Defender
    Other Info
    2x Seagate 2TB external USB HDD, 1x 5TB external USB WD Passport HDD, 1x externql USB WD SATA 1TB Green SATA SSD

My Computers

System One System Two

  • OS
    Windows 11 Pro build 26200.5651 (Dev)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-4790
    Motherboard
    Asus H97 Pro Gamer with add-on TPM1.2 module
    Memory
    Teams DDR3-1600
    Graphics Card(s)
    MSI Nvidia GeForce GTX 1050Ti
    Sound Card
    Realtek ALC1150
    Monitor(s) Displays
    LG Flatron E2250
    Screen Resolution
    1920 by 1080 pixels
    Hard Drives
    Crucial NVMe PCIe M2 500 GB (Windows 11 v.24H2); Samsung SSD Evo 870 500 GB (Windows 11 v.24H2);
    PSU
    Corsair HX850
    Case
    Gigabyte Solo 210
    Cooling
    Zalman CNPS7X Tower
    Keyboard
    Microsoft AIO Wireless (includes touchpad)
    Mouse
    HP S1000 Plus Wireless
    Internet Speed
    200 Mb fiber optic
    Browser
    Chrome; MS Edge
    Antivirus
    Windows Defender
  • Operating System
    MacOS 12 Monterey
    Computer type
    Laptop
    Manufacturer/Model
    Apple Macbook Air
    CPU
    Intel Core i5
    Memory
    8 GB
    Graphics card(s)
    Intel integrated
    Screen Resolution
    1440 by 900 pixels
    Hard Drives
    128 GB
    Keyboard
    Built-in
    Mouse
    Microsoft Wireless
    Internet Speed
    802.11 ac
    Browser
    Chrome; Safari
    Antivirus
    N/A
suatcini54 said:
It is just that home PCs may not be worth the trouble to undergo being attacked into. Or so I think.

Please refer to: Windows devices for home users, businesses, and schools with Microsoft-managed updates - Microsoft Support
Click to expand...

It's just that home PCs will get new certificates automatically via Windows Update:

What do I need to do?

In most cases, nothing! Just make sure that:
  • Your device is running a supported version of Windows 10 or Windows 11.
  • Windows updates are not paused.
  • Secure Boot is enabled (it usually is by default on newer systems).
To check if Secure Boot is turned on:
  1. Press Windows + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you’re good to go!
Click to expand...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
I'll just leave SB disabled as I always have
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    AMD Ryzen 7 9800X3D 8-core
    Motherboard
    MEG X870E Godlike
    Memory
    64GB Corsair Titanium 6000/CL30
    Graphics Card(s)
    MSI Suprim X 3080 Ti
    Sound Card
    Soundblaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 9100 Pro 4TB (gen 5 x4, system drive/games)
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 870 Evo 4TB
    Samsung T7 Touch 1TB
    PSU
    Seasonic PX-2200
    Case
    Bequiet! Dark Base Pro 901
    Cooling
    Noctua NH-D15S Chromax black
    Keyboard
    Logitech G915 X (wired)
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    900Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
neves said:
Would be really odd if it did (Microsoft expecting average Windows users to figure out how to do this manually), without - being included in a Windows update.
Click to expand...
Windows Update will eventually enforce this change on all W11 PC's (late 2025? before Oct 2026). Right now, the process is optional.

MS delayed its original timeline because some OEM's have needed more time to fix their broken BIOS code. This includes some security and management vendors that install their own code hidden in customers' BIOSes.

suatcini54 said:
Every PC that connects to internet is vulnerable to the security concerns due to outdated Certificates. It is just that home PCs may not be worth the trouble to undergo being attacked into. Or so I think.
Click to expand...
There two separate issues that overlapped in timing:

1. In 2023, MS was informed that the Black Lotus UEFI rootkit bypassed Windows security measures. To prevent bad actors from using Black Lotus, MS had to make the huge decision to revoke the CA 2011 certificate which signed all trusted boot code. This decision also guaranteed existing Windows boot code going back several years to older Windows would no longer work.

MS had to organize the PC industry to accept adding a replacement cert CA 2023, and cancelling CA 2011 at the same time. This whole process was supposed to be done last year. MS can easily pull the switch, but if the process is incorrectly done then you don't have a bootable PC.

2. The process took so long, MS is running into the normal 15 year expiration date on the original CA 2011 cert. 2011 + 15 = 2026. MS and PC makers would have to replace the cert any way. If you recently bought a new PC since June 2024, it already has CA 2023.

If you don't update your old PC, Windows might not be bootable when MS switches to the CA 2023 permanently to sign the boot code. Again this is done for security purposes.

3. The CA 2011 in the certificate store is in parallel to sign Windows executables and resource files. This is entirely separate from the UEFI certs.
 

My Computer

System One

  • OS
    Windows 7
One of the issues that confuses users with this is Microsoft's typical bad habit of mixed messaging. They now have multiple articles, guidance and updates. One has 'Act now' in the headline, another in the text tells some users to do nothing. Many of the posts/articles don't state clearly at the start or end which group of users they're talking to.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 Beta Insider Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2703
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC - Headphone Amplifier: Cambridge Audio DACMagic200M
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 25.5.1
    AOMEI Backupper Pro
    Dashlane password manager
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 24H2 26100.2894
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7 (96EU) 32.0.101.6078
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Other Info
    720p Webcam

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
    CPU
    Intel Core i7 13700ks
    Motherboard
    Asus B660M Plus D4
    Memory
    DDR4 32GB
    Graphics Card(s)
    Asus Dual RTX 4060 TI
    Monitor(s) Displays
    ASUS VG32V
    Screen Resolution
    2560 x 1440
All of this shouldn't be of a concern for a normal users really, it might be an overkill but securing your networking habits is a must no matter how much Microsoft keeps releasing a bunch of security "Fixes".

Don't like paying (VPNs, proxies, etc..) so I always go the free route especially when I can do it by myself freely.

I got my own thing going (Raspberry pi, Pi-hole, Local Host Adgaurd DNS, Unbound, DNSSEC with ECDSA P-256, ECDSA P-384, ED25519, etc.. etc..) pretty complex multi-sheilds going on but once it is setup, it is just smooth sailing & faster

but after all of this yet... we come back to the first point securing your networking habits is a must.
 

My Computer

System One

  • OS
    Win 11 Insider [Always the latest Beta 24H2 releases]
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming FA506IU Laptop
    CPU
    AMD Ryzen 7 4800H with Radeon Graphics
    Motherboard
    AMD K17.6 FCH, AMD K17.6 IMC
    Memory
    G.SKILL [Samsung Die] DRR4 - 3200Mhz CL18 (18-19-19-36) - 32GB(16GBx2)
    Graphics Card(s)
    nVidia GTX 1660ti GDDR6 6GB(90W) 2.02Ghz Core & +548Mhz Mem-OC'ed [VBIOS Unlocked]
    Sound Card
    Realtek ALC256 @ AMD K17.6
    Monitor(s) Displays
    LM156LF-2F03 144HZ with Adaptive SYNC
    Screen Resolution
    1920x1080 - 144Hz
    Hard Drives
    WDC PC SN530 SDBPNPZ-256G-1002 + SHGP31-500GM-2 + ST1000LM035-1RK172 + Samsung SSD 870 QVO 1TB 1000.2 GB
    PSU
    ASUS Power Brick 180W
    Case
    Laptop Case with Dual Fan
    Cooling
    Dual Fans Design with Self-Cleaning Cooling
    Keyboard
    Asus Aura RGB with Overstroke technology
    Mouse
    ROG SICA Gaming Mouse
    Internet Speed
    100Mbps FiberOptic [100 Mbps Down - 50 Mbps Up]
    Browser
    Chrome/Firefox/Tor
    Antivirus
    Symantec Endpoint Protection with Windows Defender (Active Mode) + Custom DNS Server
    Other Info
    CPU with -15 Curve Optimizer all cores and -50 Cure optimizer on iGPU
    BCLK OC to 101.6Mhz
    Benchmark Scores:-
    CineBench R23 Single core:- 1290 points
    CineBench R23 Multi core:- 11111 points
Aiolia said:
Use esse script para instalar de forma automatizada.
Click to expand...
Please write in English, because this is an English forum!

Translated by Deepl:
Use this script to install automatically.
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2 26100.3915
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    Windows Defender
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
You must log in or register to reply here.

Similar threads

  • Article Article
Updating Microsoft Secure Boot keys
4 5 6
Replies
106
Views
22K
THEBOSS619
THEBOSS619
  • Article Article
Revoking vulnerable Windows boot managers
2
Replies
24
Views
7K
Warre1
Warre1

Latest Support Threads

Latest Tutorials

Back
Top Bottom