The Coming Cluster:
Microsoft Is Replacing Expiring Secure
Boot Certificates
Microsoft powered PCs rely on cryptographic certificate keys to operate. Specifically, these certificates enable Secure Boot to verify that software that loads is legitimate. BleepingComputer, January 13, 2026, explained the issues accordingly:
Secure Boot is a security feature that blocks malicious software (like rootkit malware) from executing during the system startup sequence by ensuring that only trusted bootloaders can load on computers with UEFI firmware. This is done by checking the software's digital signature against a set of trusted digital certificates that are stored in the device's firmware.
Throughout 2026, with a projected final date of June 2026, Microsoft will replace the original certificates, which date back to 2011, with new certificates. These new certificates will be rolled out throughout 2026 in a multi-staged process through Windows Updates. Once this process is complete, PCs without the new certificates may fail to startup correctly.
If you purchased your computer in 2025, that PC already has the new certs. If your PC is older, then the new certificates require the latest firmware updates from the computer manufacturer for the new certificates to be correctly installed. Security vendor, Malwarebytes, offers a good explanation of what firmware is.
Firmware is a type of software that is embedded into hardware devices to control their functionality. Unlike traditional software, firmware is not designed to be modified or updated frequently, and it is typically stored in non-volatile memory. It serves as a bridge between the hardware and software layers of a system, allowing the hardware to interact with the operating system and applications.
Herein lies the potential pitfalls. Without the newest firmware, the newer certificates might fail. Moreover, the older the PC is the more problematic updating the firmware will become.
For the complete update process for these new certs to be successfully installed is that both the manufacturer's firmware updates and the new Microsoft certs must be installed in tandem. One won't work without the other. Microsoft is relying on computer manufacturers to issue the required UEFI/BIOS firmware updates for the plan to succeed. My experience here is that some PC manufacturers make that process easier than do others. Some computer manufactures will offer a menu of POSSIBLE firmware updates for a specific model and/or configuration. Furthermore, as a consultant, my usual position is that many Consumers should probably not try and install new firmware themselves, especially if that is a process that they are totally unfamiliar with.
There are some common problems might experience when attempting to
install new firmware updates.
• Firmware updates can fail or be
blocked by outdated versions.
• Some OEMs stop releasing BIOS
updates after 3–4 years.
• A failed BIOS update can render a
system unbootable.
Many PCs manufactured between 2017-2021 may not receive firmware updates at all. Again, without the necessary firmware updates, the newer certs will not be installed resulting in a PC that may not boot up correctly. Older PCs may reject the new keys. Also, many older PCs come with Secure Boot disabled. When I enabled Secure Boot on a Windows 10 notebook of mine in order to install Windows 11, the boot sector of the drive was damaged resulting in all the data on that drive being destroyed.
I know that many people ignore what I write about, even though I give these people direct access to my articles. The information presented herein is critical to every computer user who has Windows installed. If this ignored, and the new keys are not installed properly, that user might well end up with a PC that will not start. And if a broken computer cannot at least startup, then that computer cannot be fixed.
And never forget this very old maxim that dates back to 16th
England:
To be forewarned is to be
forearmed.
Gerald Reiff
| Back to Top | ← previous post | next post TBA → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||