Get ye to Windows Update, because there’s a good chance you’ve got new Secure Boot certificates to install. Microsoft just announced that it will be refreshing those certificates, which were originally introduced when Secure Boot debuted in 2011, as a security precaution. Secure Boot was a way for Microsoft to protect systems from running unsigned and potentially malicious code before Windows launched. It went on to be an installation requirement for Windows 11, as well as anti-cheat software used in Valorant, Call of Duty: Black Ops 6/7 and Battlefield 6.
Without the new Secure Boot certificates, Microsoft says your system will still function normally, but it will enter “a degraded security state that limits its ability to receive future boot-level protections.” Basically, you won’t be protected from malware and viruses targeting vulnerabilities in older versions of Windows. As expected, Microsoft also notes that unsupported versions of Windows won’t be receiving the new Secure Boot certificates. They’re only coming to Windows 11 systems, as well as Windows 10 PCs subscribed to Microsoft’s Extended Security Updates.
Microsoft says many users will be able to pick up the updated Secure Boot certificates by visiting Windows Update, but a few may need additional firmware updates from their system (or motherboard’s) OEM. You’ll also be able to track the status of your security certificates in the Windows Security app in the “coming months.”
“As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection,” Nuno Costa, Partner Director of Windows Servicing and Delivery, wrote in a blog post today. “Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.”
Costa says Microsoft has been working with OEMs like Dell and HP to ensure a smooth transition to the new Secure Boot certificates. Many new systems built in 2024 already have the updated certs, while “almost all” devices shipped last year have them as well. Microsoft has also been alerting IT customers to this transition since last year.
This article originally appeared on Engadget at https://www.engadget.com/computing/microsoft-will-start-refreshing-secure-boot-certificates-in-march-for-windows-11-and-windows-10-esu-users-170000777.html?src=rss
