Microsoft’s first Secure boat certificate will run from June 2026. So that systems with Secure Boot can be started, you must receive updated certificates up to that point. “Prepare for the first global, large-scale secure boat certificate update,” says Microsoft. This applies not only to Windows systems, but also those with other operating systems such as Linux or MacOS.
In one Blog post discusses Microsoft The consequences of the certificate sequence and provides information on how admins can help themselves under Windows. In summary, Microsoft opens: “The Microsoft certificates used in Secure Boot are the basis of trust for the safety of the operating system, and everyone expires from June 2026. In order to receive updates for new Windows systems in good time, you have to leave Microsoft to the administration of your Windows updates, to which Secure Boot also heard.” For Microsoft, close cooperation with original equipment manufacturers (OEMS) is therefore important to distribute secure boat firmware. Updates.
Corporate customers in particular should prepare
If you have not yet made any options for distributing and corresponding distribution of the updated certificates, you should start now, advises Microsoft. Secure Boot is intended to prevent malware from starting in the boat process of computers early on. It is linked to the UEFI firmware signing process. Secure Boot relies on cryptographic keys, which are known as Certificate Authorities (CA) in order to verify that firmware modules come from trustworthy sources. In June 2026, the secure boat certificates-which are part of the Windows system are-after 15 years. Windows devices therefore need new certificates to continue working and protected, explains Microsoft.
Physical and virtual machines with supported versions of Windows 10, Windows 11 and Windows Server 2025, 2022, 2019, 2016, 2012 and 2012 R2, are therefore all systems that have been published since 2012, including the long-term service channel (LTSC). Newer Copilot+PCs, which have been released since 2025, already have newer certificates.
The affected systems also include MacOS-but that is outside the Microsoft support area. For dual-boat systems with Linux and Windows, the Windows operating system should update the certificates on which Linux is dependent.
Microsoft lists that the certificate “Microsoft Corporation KEK CA 2011” expires in June 2026 and is replaced by “Microsoft Corporation KEK 2K CA 2023”; It is used to sign DB (database permitted signattruen) and DBX (database of prohibited signatures).
In addition, “Microsoft Corporation UEFI CA 2011 (Oderr third-party Uefi-Ca)” has reached the end of life, for which Microsoft then has “Microsoft Corporation UEFI CA 2023” or “Microsoft option ROM UEFI CA 2023”. The first certificate signs third-party operating systems and hardware driver components, the last certificate, however, third-party option ROMs. Finally, the “Microsoft Windows Production PCA 2011” certificate expires in October 2026, which is replaced by “Windows UEFI CA 2023”; It signs the Windows boot loader and boot components.
Follow the resulting certificates
The CAS ensures the integrity of the boat sequence, explains Microsoft. If these CAS run, the systems no longer receive any security corrections for the Windows boat manager and the secure boat components. “Compromised security during the starting process threatens the entire security of affected Windows devices, in particular by bootkit malware. Such malware is difficult or not even recognizable from antivirus software. Even today, the unsecured boot process as an attack vector for the Blacklotus boat kit (CVE-2023-24352) can serve,” explain the developers.
Update before the update
Microsoft is important to emphasize that those affected first search for the latest firmware of their OEM provider-i.e. from the computer or mainboard manufacturer-and use them before applying new certificates on their Windows systems. In the safe boot process, the OEMS firmware updates are a prerequisite for correctly used Windows Secure boat updates. Microsoft only supports systems that are still in the support cycle-after October 2025, Windows 10 users should therefore think about the procurement of extended security updates (ESU).
Microsoft does not call a precise schedule, but explains that “we can expect the update of the secure boat certificates as part of our recent cumulative updates”. The slightest effort is therefore to leave Microsoft to the administration of the Windows updates including the Secure boat updates. In the blog post, Microsoft finally discusses how corporate customers can proceed with different solutions for the management of Windows updates.
Last year Microsoft had blocked numerous boot loaders with a DBX update with the August update. Many Linux distributions were affected, which then no longer started. It is to be hoped that a similar scenario will not occur again with a year of advance.
Discover more from Apple News
Subscribe to get the latest posts sent to your email.