The Coming Cluster, Postscript:
Microsoft Is Replacing Expiring Secure
Boot Certificates
The salient point that Windows customers need to understand and act upon is that come June 2026, Windows PCs without the new certification keys properly installed may well find that their computer will not startup. Furthermore, if a Consumer has a machine that is bricked because of the certification keys issue, even a bootable USB drive will not make the PC start. The problem is at the motherboard level: specifically, the BIO/UEFI settings on the motherboard.
Microsoft has good reasoning for doing this. Microsoft’s long‑term strategy since Windows 11 has been to move the ecosystem toward more secure, modern hardware. Given the rise in firmware‑level attacks and the increasing sophistication of cybercriminals, the push for newer, more secure systems is understandable — but it does mean that many older Windows 10 machines will not be able to participate in the 2026 Secure Boot certificate update.
There are three groups of Windows customers that stand to be affected by the discontinuation of the certification keys from 2011 and the introduction of the newer replacement keys from 2023.
1. One such group is Consumers who purchased their Windows 11 PCs in 2024 or 2025.
In the previous article on this subject, I said that Windows computers in 2025 can rest assured that those computers come with the new certification keys. I used that date to be definitive. It is possible that a machine purchased in 2024 could have been in inventory since before 2024 and, thus, manufactured in 2023. So, a PC that cannot be guaranteed to come with the newer certification keys. It is the manufacturing year that matters here. Therefore, only machines purchased in 2025 are CERTAIN to come with the newer keys installed. These consumers with 2024 vintage PCs must ensure that they have had the newest firmware from their computer manufacturer installed.
2. Consumers who have older PCs that are successfully running Windows 11 might well face a conundrum.
These users certainly do have the hardware necessary to have the new certification keys installed. Nevertheless, these customers may not have the newest firmware from their computer manufacturer installed. Without the newest firmware update the key installation may fail. In fact, the key installation probably will fail.
Installing firmware updates requires some degree of technical knowledge about the process. Since different manufacturers offer different paths to find the BIOS/UEFI settings on the motherboard, it is not possible or me or anyone else to guide a user through this process. Firmware updates are important, but they’re also one of the few maintenance tasks where a mistake can have serious consequences. Different manufacturers use different tools and procedures, and older systems may not support automated updates at all. For that reason, I recommend that users consult a qualified technician if they’re unsure about the process or if their PC is more than a few years old. Lastly, depending on how old the PC is, the manufacturer may no longer issue any new firmware updates. From the manufacturer's point of view, that machine was long since discontinued, and therefore the manufacturer might consider that it is under no real obligation to continue with the expense and manpower necessary to produce such updates.
3. Consumers who for whatever reason still cling to their Windows 10 machines.
Based on being associated this this industry since the 1980s, it is my opinion that these required certification keys replacements might well be the final nail in the coffin of Windows 10. It's not that Microsoft is being punitive, but because many machines from the Windows 10 era were designed and manufactured before Secure Boot was a widely adopted standard. Even if Secure Boot is installed on the motherboard, the feature is more often than not disabled. Although I have and still could enable Secure Boot on a machine where the feature is present, but disabled, I would not do it. For the amount the client would pay me in billable hours to do that, and then reinstall all their software, the client could buy a new low-end Windows 11 PC.
The issue of no firmware updates coming manufacturers is even more critical on these older machines older machines. Again, I must emphasize, without the newest firmware the new certification keys will not install. Even if the Consumer has enrolled their in computer in the Extended Security Upgrades program, Microsoft is only obligated to continue Windows security upgrades. Microsoft is not responsible for updates to the motherboard from the manufacturer.
Given all these sound reasons, the majority of Windows 10 PCs will likely not receive the new certification keys. As a result, some of these systems may become unable to start after June 2026 if Secure Boot is enabled, but the firmware had never received the updated certificates.
For those even older PCs still running Windows 10, but do not have
Secure Boot installed, there will be no reissued keys. These much
older computers will, however, be far more susceptible to cyber attacks
at the motherboard level. A system without Secure Boot enforcement
is vulnerable to:
• Bootkit attacks Malicious code that loads before
Windows and hides from antivirus.
• Rootkits that replace the
bootloader. Attackers can swap in a modified Windows Boot Manager or
shim.
• Firmware‑level malware
Some malware families can
write to SPI flash or UEFI variables if protections are weak.
•
Downgrade attacks
Attackers can load older, vulnerable bootloaders
that would normally be blocked by Secure Boot’s revocation list.
•
Supply‑chain or repair‑shop tampering
Without Secure Boot, nothing
prevents a modified OS image from being installed.
Conclusion
This issue came into focus when I first read about the certification key replacement a couple of weeks ago. Then Friday of last week, the first of these keys was pushed at me through Windows Updates. Since I check for all available updates daily, and check for driver updates using the HP Support Assistant application at least once a week, the first of these new keys proceeded without any problem. That prompted me to take a deep dive into what is going on with these key replacements. And, as what I learned sunk in, I came to understand the fuller implications of what the required key replacements would mean for Consumers with older computers.
I try to avoid being the Chicken Little of the computer industry. On the other hand, I must call them as I see them. In this case, the sky might be not be falling, but older PCs will be crashing. After crashing, some of those obsolete PCs will then not even start and will become irreparable. Or, as they say in the military, they will be FUBAR.
And never forget this very old maxim that dates back to 16th
England:
To be forewarned is to be
forearmed.
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||