Secure boot certificate warning

[Vertigo 7]

I have two W11 Laptops - one already updated in March via regular Windows update.

However, second one hasn't got any such update yet, so I wonder, if I should wait when it will be avaliable?

I used the command to check those from OP video and I get False on non-updated Laptop.


Is this June deadline only problem for W10 machines, or for W11 as well?

FYI I just (like 10 minutes ago) rolled up an older 9th gen I9 machine of mine to 2025H2, along with other available windows updates, and that updated the cert. The cert was not updated prior to this. I didn't have to take any other steps.

[matthewfarmery]

Wrong. Bios updates are including in optional updates. The user opted into those updates.
https://1drv.ms/i/c/f353299b50516e8f/IQ ... w?e=LPUgBX
This is a screenshot of my machine clearly showing firmware updates are Optional.

Did you watch the video? let me try and explain, the repair shop got this bricked laptop, the tech went through the hoops to narrow down the problem, turns out it was a failed bios update. SO he downgraded the bios, to a version that should work for that brand of laptop, when it did power up, it still tried to update the bios, becuse it was doing it through the black update / booting stage, rather then windows main update itself.

So, if the bios update is option, then why was it forced boot the boot / updating process? and if that was turn off, would it have made any difference? as that would have downloaded the updates, before hand. but that tech had no control if that update was required or not. so again, the bios HAd to be updated, before the rest of the OS got updated as well. hence catch 22.

the video clearly shows the steps, and how the tech found the reason, how to unbrick it. and did not give the laptop any permission to update the bios, as he didn't do it. it was forced. a forced loop.

Matt, i didn't watch the video. I've been in the IT industry ever since I got out of the Navy and I don't need some derp farming views on youtube telling me my business. I've been doing this for a long time and these OMG WORLD ENDING Y2K PRINT NIGHTMARE LOG4J TPMCERT things people act crazy over are ALWAYS dealt with and people move on. I strongly urge you to calm down. This is just one more in a long list and wont be the last of freak outs some people will have.

I realise you know your stuff, this isn't aimed at you, but as you don't know the full facts, the problem is, this isn't just microsoft anymore, but Amazon as well. You got an Amazon fire stick? for some time, that has allowed people to jail break their fire sticks, but Amazon, has been quietly updating the firmware of the firesticks, those that were pre 4k were able to jail break, fully control, with the newer models 4k UHD ready weren't.

the problem is, as of this year, Amazon has done many updates to rollback the jailbreak, for those that don't know what that means, you can do it with some phones, it means, you have total control over that phone. in the case of the Amazon firestick, it allowed people to watch films and stuff using a VPN and stuff that Amazon didn't want people to view. unless it was their own authorised apps.

But the problems are deeper, if a user switches a feature or security concern off, then this forced update switches stuff back on. See a similar theme here? and as Amazon is still a US company, a lot of big name stuff from there, don't give a flying monkeys user rights and safely laws.

From your post, your probably building your rigs? am I right? your not built a pre installed laptop of that period with preinstalled windows and bloatware on top? your probably updated windows through the windows update. which means, the bios updates are optional. I did say OEM brand. and I made sure of that in my original post. As many pre built systems, come with a lot of crap, and if you are a user that doesn't want that crap. then its hard to remove. which is probably why, the bios needed to be updated, or prehaps linked to the laptop itself. But it was a warning, if you do have an OEM system, not custom built. you MIGHT have this problem.

This warning isn't directed at those that know their shit and knows how to build your stuff. as the MB is custom, or if a desktop system, should have a way to revert to the original bios if anything goes wrong.

I'm not trying to hit at you personally, but like I said, even the OEM tech supports are losing a lot of money, which is why, some are starting to switch over to free distros and leaving windows to rot.

So lets not try and fight. I seen the video, you see it boot with the dell logo at the top. This might be fear mongering, but like I also said, this is an old 2022 model. and with windows 11 doing a lot of updates, you never know? hence my warning.

lets leave it at that. you clearly know your stuff. as you build stuff. this is for those that don//t as that is the main line of business for OEM side of things. especailly with bloatware to help sell the OS on top. and then, tech support costs, and for a $400 laptop, thats goes wrong, then shipping, repairs, the cost of the phone call, if free? it eats into the OEM profits. and that is also hurting things.

[Chips]

For someone who this didn't apply to as I didn't have secure boot enabled; an experiment - completely ignoring the hysteria of videos (yes, I've watched them. No, I'm not following them... I'm on Windows 11 btw). There's no optional firmware updates in windows update for me; that's because I don't have the convenience of that method.

Run powershell command to find out if I have 2023 cert... false. Of course it is, I don't even have secure boot enabled (msinfo32 -> Secure Boot State=Off).
So, to get the firmware update that contains the required certs and settings etc, it's old fashioned flashing it rather than leveraging the UEFI capsule update - read more about UEFI and the capsule update here https://www.preprints.org/manuscript/202502.1245 -- it says not peer reviewed, and I'm certainly no peer

So, download latest bios from msi, unzip and put file on usb, boot to bios, set to flash from usb, reboots - wait several mins reading all big warnings about don't power off / turn off else system will be bricked (like in that 2nd vid!!!). After a few restarts eventually took me to windows, restart and back into Bios; flip to use secure boot. Note boot mode is now csm not uefi (it was uefi before), so switch that back, save, reboot...

Back into windows, msinfo32 and Secure Boot State is on; then Settings -> Privacy & Security -> Windows Security -> Device Security -> oh I have a new bit called "Secure Boot" showing as green.
Run prior powershell command, "True".

Well, that seemed easy.

However, I forgot to "do you have the cert?" powershell command *before* enabling secure boot to verify it's been delivered by a manufacturers firmware update.

On my Dell laptop (3+ years old) I let Dell push it's firmware update via their own updater - which uses afaik the UEFI capsule update method. See that earlier link, it describes what that does (including stick file at loc X, flip flag Y so that on reboot the UEFI (bios) knows it has an update to apply... which funnily enough explains why in that guys video it launches straight into a BIOS update when he starts it!!! Who'd have thunk it... if I had to guess, the owner of that laptop interrupted a bios update, which as per the warnings they give, borks the system. It'd fit. It also means his delivery of the update wasn't necessarily windows per se.)

Dell does indeed have a uefi setting in the bios that means Windows can obtain the updates that Dell pushes out, if you disable that as per the second video guy claiming that's how he fixes things, then you'd have to manually update the firmware.

Anyway
https://www.youtube.com/watch?v=EscGJTKHPdw
https://www.youtube.com/watch?v=ixq4RP33Am4

A few Microsoft "Ask me anything" regarding the secure boot / uefi cert 2023 install. Including "no, your computer won't stop working if you don't have the cert in June". However, then a few other questions result in "there may be circumstances..." (see 11:40 on the first one), and there's other AMA where people go "but what about if hardware / firmware updates are signed by cert.." and so on (such as has the manufacturer set the default, otherwise a reversion may bork as it can overwrite settings or something).

One source I read basically said "it shouldn't go wrong, but firmware isn't consistent between vendors, and therefore there's gremlins abound" -- so not MS fault. MS just let vendors push their firmware updates via MS Update into the UEFI capsule update system.

Oh, yes, Linux likely uses the same UEFI capsule update and if you have secure boot enabled, you're going to need the certs in all likelihood. Linux updates will deliver them the same way as Microsoft update did; UEFI capsule update method really convenient for manufacturers to push their necessary updates, so just run an update and should be fine.

So that second vid - it launched straight into a firmware update because... the UEFI capsule update method had been used, so it picked up the flag, file and applied. More likely a fault with the firmware company or the user.

I guess for windows 10 users it's a different kettle of fish, but start with "do I have secure boot enabled". If you don't, none of this matters. After that, I can't comment, i don't have 10.

Personally, windows 11 is better, also, there's been a recent publication on insider that they're making changes - it's a start, but I get people hate Microsoft.
https://blogs.windows.com/windows-insid ... s-quality/

that includes changes to updates so you've more control, removing co-pilot from completely unnecessary things (I'd rather it was gone full stop). Christ this is long.

[matthewfarmery]

@Chips

Then, it seems, from your scary post, then the issue is with Dell, not MS. at least, from what you described it. Bloody glad you managed to get through that. and looks like you did confirm what that guy was saying.

So, not technically a MS issue, but a OEM issue, so a misunderstanding there.(but should have been a an ooveride. not a force update) Bloody hell chips, that was a close one, as that modal shown was 2022 era. I would do a full backup of the windows OS. and store that. just in case.

So yes, this is a very scary warning. and seems, this guy was right, and my warning here was indeed justified. I think the problem is, OEM sellers have been bullied into accepting windows 11 now. especailly with the bloat. pre installed, rather then through the update system. I think, this is part of the problem. as OEM techs are still trying to control the laptop / hardware, and with MS more control over the OS. pushing the USER out. Especailly with the windows 11 settings and privacy. Even the EU are very concerned now.

But bloody hell chips, if that bios update failed, your system would have bricked like the one in the video.

@Vertigo 7
may I ask one final sets of question, you clearly know a lot about computers, but do you know what each laptop chip does? what voltage that each uses? and what chip / Circuitry goes where? do you use a thermal camera? and voltage meter / checker?

While I could build computers and know what stuff does from a desktop standpoint. But from a laptop, what chip controls what, what voltage does in, what voltage goes out, and turned over, what current goes where. especially under a thermal camera. what more, what areas are hotter then others, and what parts of the laptop is used if getting power from a DC or an AC / battery current.

If you know that, and how to diagnosis a bricked laptop based on a few clues. That guy in the video went step by step, and did notice some burn out on the MB/ he used a thermal camera to find out what parts were hot, and what wasn't. then a voltage checker to find which chip was accepting power, and what voltage each chip did or should accept.

Without seeing the video thirst hand, you don't know how detailed his checks where. once he started to go deeper, he narrowed it down to the energy management area or the bios. Even then, due to different bios chips and how they are soldered into the board, he could downgraded the chip using a piece of kit that could transfer the rom directly to the chip, otherwise, it would have been a full scale remove and replace.

If you know that, and I didn't. its useful to know. not everyone really knows what parts of the laptop does what. We think we know.. but my point is, that guy DID know. so maybe if you do have time, and you don't know that, you might learn something.

[Chips]

No, I think you and others have a point. You should be able to say "no" before any install. Regardless of how "defend the folks who don't know and may not be aware", and absolutely a huge uphill battle of people who just hate MS. But there should be clearer "this is what is happening, and in non technical terms, here's why."

https://www.windowslatest.com/2026/02/1 ... boot-2011/

One of the biggest misunderstandings around this rollout is assuming that Microsoft is pushing firmware changes directly. It isn’t. BIOS and UEFI firmware are controlled by your device manufacturer, not by Windows Update. That means Microsoft cannot blindly update Secure Boot keys at the firmware level across every PC without coordination from OEMs like Dell, Lenovo, HP, ASUS, Acer, and others.

But at the same time, your firmware manufacturer may have elected for you to receive it via Windows update "Do please check your optionals, because i'm sure everyone does" or... "actually, ones *they* deem critical we just push silently".

The system is a really well intentioned idea. For example, there were updates via firmware for motherboards to run newer chips for example, otherwise we had motherboards with an appropriate socket type that couldn't run newly released cpu's of said socket type. Without that firmware update, folks buying the CPU going "compatible!" would find... not working. But they'd need some level of technical skills. So having an easy-to-deliver update for firmware via an existing used pathway simplifies things. Of course, buying the newer chip + older allegedly compatible motherboard, they're starting out at the "and WHY IS IT NOT WORKING?", so moot point, they never got the chance for bios update.

They've not got it 100% right, there's a way to go. Unforseen are the inconsistencies in how it's been implemented by various manufacturers mean that even with their own suite of offered hardware, you may get radically different outcomes.

The CA‑2023 rollout revealed that different vendors had wildly different levels of firmware discipline. Some desktop and laptop PCs sailed through without problems; others experienced anything from minor setbacks to major issues up to an including unbootable systems. Let’s take a look at how various vendors fared in this situation.

https://www.windowslatest.com/2026/03/3 ... e-problem/

Spoiler

Show

ASUS

Some ASUS boards refused to apply DBX updates unless Secure Boot was temporarily disabled — a paradoxical requirement. Others applied updates but left systems in a “half‑revoked” state. The CA-2011 certificate might still be used (or not) even if the CA-2023 certificate was present.

MSI

Some (but not all) MSI boards were notorious for:
- inconsistent DBX handling
- firmware that silently ignored updates
- Secure Boot modes that didn’t match UI labels
- systems that reverted to factory keys unexpectedly


ASRock

ASRock boards often required manual intervention for such things as:

- clearing keys
- reinstalling factory defaults
- re‑enrolling Microsoft keys
-manually applying DBX updates

Their documentation was sparse, and many users were left guessing. In my own case, I had two supposedly identical motherboards, both B550 Extreme4 models. One of them surrendered to manual, and Microsoft WU supplied updates. The other could never reconcile the pending updates from the OS (both WU and manually applied) to the contents of the various firmware databases. Indeed, that’s what provoked the ongoing series of “CPU change” warnings depicted in the previous section of this story.

Dell, HP, Lenovo (and other OEMs…)

Enterprise and consumer oriented PC and laptop vendors (including also Acer, ASUS, Dynabook, etc.) generally did better, but even they had:

- staggered rollouts
- inconsistent BIOS/UEFI update timing
- some systems that required multiple reboots to apply DBX changes

As I looked at read forum posts at answers.microsoft.com, TenForums.com, ElevenForum.com, and TechPowerUp.com, I saw hundreds upon hundreds of forum threads that sought help in dealing with Secure Boot issues. Many involved laptops, and many more involved desktops, particularly DIY home-brew builds or those from boutique builders who assemble best-of-breed commercial parts to build bespoke PCs for well-heeled buyers (see next section).

That industry wide collective nut drop is a wake up call; hopefully to all to improve their systems. Triggered by a cert. The cert update itself should be 100% benign and banal. btw all links I am trusting; I absolutely do not have the knowledge whatsoever, and most major sites saying "systems will run fine if you don't have cert, except for sec updates that require boot related stuff - which means eventually vuln"... techradar, cnet, pc magazine - they just regurgitate MS's line...

If my update would have failed, conveniently I have multiple pc's - so as long as I can get back into bios I can always download another version of the bios (older) and flash that (assuming I'm allowed to go backwards; never tried as never had a fail!). It's that "interrupt the update flash..." that I believe borks systems. But again, I'm *well* out of my tech knowledge area.

Just that due to this thread I was going "i've not heard of this...." then checked my pc and went "holy crap, i may have done the tpm thing but never did secure boot?", and then thought "this could be fun" as I knew I'd have to do firmware updates the old fashioned way. A quick check showed my other computers are all much more modern and actually were already done

As said, zero clue for Win 10. I migrated specifically for secure boot and then never even bloody had it enabled! Farce.

[alt3rn1ty]

Just checked ..
PS C:\Windows\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
True

So at some point its been done automagically for my machine.
Had about 4 BIOS updates in the last 6 month on this machine, and a couple of Windows 11 updates which mentioned the certificate in their respective release notes (one of those was a preview update, I dont let those betas happen).

Never experienced windows doing BIOS UEFI updates, all of mine on this and the last three laptops before it have been from the OEM.
Maybe if it was outside its support period and critically needed, MS Windows might try to step in .

[matthewfarmery]

No, I think you and others have a point. You should be able to say "no" before any install. Regardless of how "defend the folks who don't know and may not be aware", and absolutely a huge uphill battle of people who just hate MS. But there should be clearer "this is what is happening, and in non technical terms, here's why."

https://www.windowslatest.com/2026/02/1 ... boot-2011/

One of the biggest misunderstandings around this rollout is assuming that Microsoft is pushing firmware changes directly. It isn’t. BIOS and UEFI firmware are controlled by your device manufacturer, not by Windows Update. That means Microsoft cannot blindly update Secure Boot keys at the firmware level across every PC without coordination from OEMs like Dell, Lenovo, HP, ASUS, Acer, and others.

But at the same time, your firmware manufacturer may have elected for you to receive it via Windows update "Do please check your optionals, because i'm sure everyone does" or... "actually, ones *they* deem critical we just push silently".

The system is a really well intentioned idea. For example, there were updates via firmware for motherboards to run newer chips for example, otherwise we had motherboards with an appropriate socket type that couldn't run newly released cpu's of said socket type. Without that firmware update, folks buying the CPU going "compatible!" would find... not working. But they'd need some level of technical skills. So having an easy-to-deliver update for firmware via an existing used pathway simplifies things. Of course, buying the newer chip + older allegedly compatible motherboard, they're starting out at the "and WHY IS IT NOT WORKING?", so moot point, they never got the chance for bios update.

They've not got it 100% right, there's a way to go. Unforseen are the inconsistencies in how it's been implemented by various manufacturers mean that even with their own suite of offered hardware, you may get radically different outcomes.

The CA‑2023 rollout revealed that different vendors had wildly different levels of firmware discipline. Some desktop and laptop PCs sailed through without problems; others experienced anything from minor setbacks to major issues up to an including unbootable systems. Let’s take a look at how various vendors fared in this situation.

https://www.windowslatest.com/2026/03/3 ... e-problem/

Spoiler

Show

ASUS

Some ASUS boards refused to apply DBX updates unless Secure Boot was temporarily disabled — a paradoxical requirement. Others applied updates but left systems in a “half‑revoked” state. The CA-2011 certificate might still be used (or not) even if the CA-2023 certificate was present.

MSI

Some (but not all) MSI boards were notorious for:
- inconsistent DBX handling
- firmware that silently ignored updates
- Secure Boot modes that didn’t match UI labels
- systems that reverted to factory keys unexpectedly


ASRock

ASRock boards often required manual intervention for such things as:

- clearing keys
- reinstalling factory defaults
- re‑enrolling Microsoft keys
-manually applying DBX updates

Their documentation was sparse, and many users were left guessing. In my own case, I had two supposedly identical motherboards, both B550 Extreme4 models. One of them surrendered to manual, and Microsoft WU supplied updates. The other could never reconcile the pending updates from the OS (both WU and manually applied) to the contents of the various firmware databases. Indeed, that’s what provoked the ongoing series of “CPU change” warnings depicted in the previous section of this story.

Dell, HP, Lenovo (and other OEMs…)

Enterprise and consumer oriented PC and laptop vendors (including also Acer, ASUS, Dynabook, etc.) generally did better, but even they had:

- staggered rollouts
- inconsistent BIOS/UEFI update timing
- some systems that required multiple reboots to apply DBX changes

As I looked at read forum posts at answers.microsoft.com, TenForums.com, ElevenForum.com, and TechPowerUp.com, I saw hundreds upon hundreds of forum threads that sought help in dealing with Secure Boot issues. Many involved laptops, and many more involved desktops, particularly DIY home-brew builds or those from boutique builders who assemble best-of-breed commercial parts to build bespoke PCs for well-heeled buyers (see next section).

That industry wide collective nut drop is a wake up call; hopefully to all to improve their systems. Triggered by a cert. The cert update itself should be 100% benign and banal. btw all links I am trusting; I absolutely do not have the knowledge whatsoever, and most major sites saying "systems will run fine if you don't have cert, except for sec updates that require boot related stuff - which means eventually vuln"... techradar, cnet, pc magazine - they just regurgitate MS's line...

If my update would have failed, conveniently I have multiple pc's - so as long as I can get back into bios I can always download another version of the bios (older) and flash that (assuming I'm allowed to go backwards; never tried as never had a fail!). It's that "interrupt the update flash..." that I believe borks systems. But again, I'm *well* out of my tech knowledge area.

Just that due to this thread I was going "i've not heard of this...." then checked my pc and went "holy crap, i may have done the tpm thing but never did secure boot?", and then thought "this could be fun" as I knew I'd have to do firmware updates the old fashioned way. A quick check showed my other computers are all much more modern and actually were already done

As said, zero clue for Win 10. I migrated specifically for secure boot and then never even bloody had it enabled! Farce.

Tell you what chips, we might not always see eye to eye. But that was a detailed and thought out post, that even exceeded my knowledge. Which is why, I think the guy in the video didn't know this? or why the bios update was a surprise. From the looks of things, he probably was used to custom build laptops, rather then OEM versions, which were exclusively in control of the PC named builder. From the PC builder prospective, I'm starting to think the update bios could only be done before the system fully boots. As the certificate needs to be authorised before windows takes other. However, I think the problem is, the PC builder might not fully realise if anything has changed on the laptop.

From that one bricked laptop. the guy did notice damage on the MB itself, which he dismissed at first, but would come back to it. also it been taken to another repair shop. But if that was to find the fault of the brick, or maybe a battery change. or maybe a memory change? There could be a few reasons why the update failed. For example,. my first PC desktop was in fact a Dell. an intel Pentium modal, that the chip was designed for gaming. (I can't remember the flashing name of the sub process) something that enhances and some games were designed exclusive for this process. Mechwarrior 2 was one such game. But still, the issue was, Dell systems was so hard wired, you couldn't change anything. The PSU was custom, the MB was custom. In fact you couldn't take anything out and replace it with anything. without buying another computer. Which after that, I went into the AMD chips, and the before AMD took the GPU over. that line of GPUs, cheaper then the GeForce line. But only after some games worked better on the AMD gpu, then the geforce gpu.

But the issue is. this hasn't really changed much, sure Dell is somewhat a bit more flexible, but remember this was a desktop. But I think for laptops, the PC builders expect no one to touch the hardware. or realise, that some damage to the MB could cause issues. as they not seen the laptop first hand. So this forced update of the bios is still bloody crazy. for example, you left this laptop in a hot room, it causes overheating. you shut it down, it continues to work fine, but unknown to to you, a chip has some burn damage. but might take another 100 days of constant use for the laptop to fail. Especially if the power comes from the mains, and not from the battery. As that video clearly shows, the DC route through the laptop isn't the same as the AC route. Which is why he checked both. and the backup power port.

So, yes, I think this route of updating the bios is a bit hit and miss. And if that case, then it should be up the user to decide if its worth the risk, rather then the PC vendor who doesn't know what has happened to it since it left the store. Especially if you take it back, for a better battery, or if possible, more ram. As the ROM might be hardwired to say, this laptop only has these default setup. and not designed for a more customised setup. (which could be another reason for that bricked laptop, or the damage on the MB. wouldn't surprise me, if either or both were the reason) and worse still, if you have no knowledge what a computer is, on the inside, but only got it for the office software and a few games.

@chips, that post of yours is a real eye opener. I submit to your greater wisdom in that regard. you did your homework there.

[matthewfarmery]

Same guy from the second video,

How to destroy a $4000 Alienware laptop when you don't know what your doing and trying to replace the thermal paste? either the user didn't know what the heck he was doing, or maybe just wanted to monkey about in his already void machine for the fun of it. The tech guy did get the system working. But as the old saying goes, you just can't fix stupid.

https://www.youtube.com/watch?v=HWju0bC3hU4

I'm even surprise that the tech guiy went along with it, should have charged him a lot, considering the damage that the user did. Still, the point stands, if people monkey about with their laptops, and expect the PC brand builder to do an update. Another reason why the bios update would fail. the issue is, this is probably far wider then we really expect. good video to watch. and a warning, don't mess with the Innards, UNLESS you a re a pro who knows what they are doing.

Edit
Anyone here wants to see a burnt / cinder MB laptop, and the extreme damage it causes,

https://www.youtube.com/watch?v=wq6YtXyiyYk

goodness, That was a wreck, overheating, or just shear negligence, or maybe something to do with that brand of laptop, or lack of cooling or thermal paste. But cripes, that is shocking.

Edit 2
Not normal, maybe a design fault? even the guy has no idea how it could happen. So yeah, you buy this laptop, it could wind up to be a fire hazard.

[Alan Phipps]

Yeah, I'm not entirely sure that this really has much to do with the thread topic, but gung-ho uninformed repair attempts or even just misplaced curiosity about what's inside do not often mix well with high tech stuff. It's another extension of 'I wonder what happens if I press that big red button?'. Also hardly anybody bothers to 'RTFM'.

[matthewfarmery]

Partly to try and say that this guy is regit, and knows his stuff. Partly to say, if user error, then a forced bios update will likely fail. And partly to say, even expensive laptops could fail on their own, regardless of how many safely checks they seemed to have gone through.

OK, I admit I went overboard. But I was trying to say, that its the same guy in the second video in the original post, and he really knows what he talking about on the tech end.

As for the software end, then hardware pc builders probably still need to get things sorted in a better manner, as the clock for the updated certificates is running out, and will be locked out unless you buy another expensive pieces of kit, due to MS demands And hardware techs playing catch up and placing demands of their own.

[Chips]

PC's won't stop operating when the certificates expire...

The whole point of the certs is to verify that the only code allowed to update the firmware/boot managers are verified as originating from someone who can sign using a chain ultimately signed (trusted) by the root cert (which is what's being updated).

So if you don't have the new cert, so as long as updates don't do firmware/boot manager if the end user has Secure Boot enabled, the computer should work as normal regardless. Or just don't have secure boot enabled...?

However, there are caveats abound. E.g. there may be security updates (as MS will point out), and without those being installed the system remains vulnerable to whatever nasty has been uncovered. Whether firmware from the vendor, or changes to windows boot loader by Microsoft. Additionally, from that "ask me anything" series about the cert update -- if you are updated, then it is apparent that changing settings in bios (if updated, as vendors aren't consistent) to defaults may also do reversions depending upon the firmware manufacture IF they've not updated default values (after installing the certs) as that requires firmware manufacturers to fix. Or other unique/different behaviours based on how firmware implementors implemented the standard. OR there may be other genuine requirements for things (no idea, gfx cards? Completely out of my depth) that provide signed code that'll also not install if *not* updated the certs.

and if there's a chain of stuff and silent failures (as per earlier post where some firmware manufacturers silently ignored fails), then who knows what state you're left with.

Bottom line, folks won't be insta locked out. AFAIK there's nothing else for MS to do either; they've issued the certs. Update the firmware and should be fine (whether via windows update, firmware manufacturers own software doing same, or if can still - flashing the bios after downloading the update).

Last caveat, this is the limit of my understanding though. If other things appear that are actually borked, then other things will appear that are actually borked!

[mr.WHO]

I did some checks on my 2 laptops.

The one that had it keys updated via Windows Update has secure boot enable.

The other one, that has no update yet, has secure boot disabled.



Should I be bothered by disabled secure boot? or will expired keys in june won't affect me?
Is there a possibility that MS/Windows enable secure boot on it's own, without my knowledge or consent?

Should I enable secure boot?
From what I read, it require some meddling in BIOS and has some risk of breaking thing, so I'd rather no do this if it's not absolutely necessary.

[matthewfarmery]

PC's won't stop operating when the certificates expire...

The whole point of the certs is to verify that the only code allowed to update the firmware/boot managers are verified as originating from someone who can sign using a chain ultimately signed (trusted) by the root cert (which is what's being updated).

So if you don't have the new cert, so as long as updates don't do firmware/boot manager if the end user has Secure Boot enabled, the computer should work as normal regardless. Or just don't have secure boot enabled...?

However, there are caveats abound. E.g. there may be security updates (as MS will point out), and without those being installed the system remains vulnerable to whatever nasty has been uncovered. Whether firmware from the vendor, or changes to windows boot loader by Microsoft. Additionally, from that "ask me anything" series about the cert update -- if you are updated, then it is apparent that changing settings in bios (if updated, as vendors aren't consistent) to defaults may also do reversions depending upon the firmware manufacture IF they've not updated default values (after installing the certs) as that requires firmware manufacturers to fix. Or other unique/different behaviours based on how firmware implementors implemented the standard. OR there may be other genuine requirements for things (no idea, gfx cards? Completely out of my depth) that provide signed code that'll also not install if *not* updated the certs.

and if there's a chain of stuff and silent failures (as per earlier post where some firmware manufacturers silently ignored fails), then who knows what state you're left with.

Bottom line, folks won't be insta locked out. AFAIK there's nothing else for MS to do either; they've issued the certs. Update the firmware and should be fine (whether via windows update, firmware manufacturers own software doing same, or if can still - flashing the bios after downloading the update).

Last caveat, this is the limit of my understanding though. If other things appear that are actually borked, then other things will appear that are actually borked!

Secure boot is one issue, another issue if your on windows 11, is bit locker. as you are given a key to remember, and if you forget that key, your damned. because of the forced online aspect of windows 11 accounts. If you see a bit locker screen, where you are suppose to enter this key. and forget. your lose everything. and the online account is also locked out.

So there is another aspect that people not realise. how easy to get yourself locked out of a system you bought and paid for. This is the problem with MS, and their forced aspect of windows 11. and with more updates breaking stuff, then rewriting stuff. So, not an OS you can fully trust.

Yes, BitLocker device encryption is increasingly enabled by default on Windows 11, particularly with version 24H2, during initial setup. It requires a Microsoft Account to automatically back up the recovery key. This feature activates automatically on supported systems with TPM 2.0 and Secure Boot, designed to protect data if a device is stolen

So even if secure boot doesn't lock you out, this enabled by default feature will. So, another warning, if your on windows 11, MAKE a hard backup of that key. if you get the screen, and forget it. your system will not be the same again.

[matthewfarmery]

I did some checks on my 2 laptops.

The one that had it keys updated via Windows Update has secure boot enable.

The other one, that has no update yet, has secure boot disabled.



Should I be bothered by disabled secure boot? or will expired keys in june won't affect me?
Is there a possibility that MS/Windows enable secure boot on it's own, without my knowledge or consent?

Should I enable secure boot?
From what I read, it require some meddling in BIOS and has some risk of breaking thing, so I'd rather no do this if it's not absolutely necessary.

secure boot and TMP are handled by the bios, so you need to turn it on manually. however, I thought secure boot is NEEDED for window 11. So if you decide to upgrade to windows 11. Then you probably should update it, so it can move onto windows 11 ok. But the issue is, while windows 10 is at exnded life, that might not last. And this updating of the certificate will only happen this year.

Not sure what happens if you don't have the secure boot on windows 10, as its no really needed, then upgrade to windows 11, if it gets the new cert automatically, or locks out the system from upgrading?

[mr.WHO]

secure boot and TMP are handled by the bios, so you need to turn it on manually. however, I thought secure boot is NEEDED for window 11. So if you decide to upgrade to windows 11. Then you probably should update it, so it can move onto windows 11 ok. But the issue is, while windows 10 is at exnded life, that might not last. And this updating of the certificate will only happen this year.

I have W11 on both laptops and both were updated from W10 - I think the W11 requirement is only to have TMP capable processor that allow you to be capable of secure boot, but you don't have to have it enabled in order to upgrade to W11.

[Chips]

as you are given a key to remember, and if you forget that key, your damned. because of the forced online aspect of windows 11 accounts.

So there is another aspect that people not realise. how easy to get yourself locked out of a system you bought and paid for. This is the problem with MS, and their forced aspect of windows 11. and with more updates breaking stuff, then rewriting stuff. So, not an OS you can fully trust.

Microsoft do store this key for you under your Microsoft account; otherwise you're prompted to save it to file (usb drive), or print it out. Or do multiple (though as per other thread about passkeys, not knowing your MS password anymore to log into your microsoft account if using a pin may make that more complicated too!). No idea what happens during install as I can't find screenshot.



I would agree that things could and should be clearer; e.g. the importance of this information isn't (from someone else's image of enabling bit locker on a device) as clear for folks not used to tech devices.

If the complaint is that during an update it appears, then that's down to firmware vendors not suspending bit locker first. Back to that "vendors are inconsistent".

However, all Dell BIOS updates suspend BitLocker before the flash so a BitLocker Recovery event cannot occur as a result of updating the firmware.

https://www.dell.com/support/kbdoc/en-u ... te-the-key


If the complaint is against disk encryption overall, then encryption of data at rest is a standard applied across the board. See your phone, see linux recommendations.
https://linuxsecurity.com/features/full ... tion-linux

Full disk encryption is no longer optional in Linux environments. Ubuntu 24.04 LTS, Fedora 41, and Debian 12 now ship with it enabled during installation. Regulators are watching closely: in 2023, HIPAA penalties for lost or stolen data averaged more than $1M per case.

Or Apple, which I believe is per file rather than whole disk per se.

damn them all for locking you out of something you purchased... if you either lost a key you're told to store safely, or didn't understand the fundamental importance of the information you were being presented with. The latter I'd strongly agree with; the former, afraid not. You forget your phone pin, you're stuffed there too. Could they improve it to make it something more memorable or a different method that doesn't have such a "remember this from 2 years ago?" Probably.

I think the W11 requirement is only to have TMP capable processor that allow you to be capable of secure boot

True, able to support, but not necessarily activate.

TBH whether you should worry is down more to researching in all honesty. I'd survived until now with it disabled. I'd have likely continued to do so until upgrading the entire system if not for this thread (it is a bit old ). But I'm not exactly a good example, and I was blase about risks in order to try

[matthewfarmery]

@Chips, I know that the passkey is on the MS account, but the issue is, its online. So MS controls the key. UNLESS you do a manual backup of it. And as MS accounts are online. I'm not sure you can access online to get the key? lose that key, you lose the account the windows 11 account is assigned too. Hence lose everything. I did see one YT vid, granted there are a lot of AI tripe on it now. But if you forget the key, then you lose the settings and windows. basically back to square one. Hence, Do a manual HARD backup on a flashdrive, or write it down.

Because if you see that bitlocker screen of death, your already buggered. (even the video says, people may not backup the key, and think, its safe, online, until you need it, but can't access it.

[matthewfarmery]

Maybe a slight bit off topic, but now Microsoft has banned 3 of the main developer accounts for encryptions used by VPN's and encryption systems that rival bitlocker. WireGuard, VeraCrypt & Windscribe

Those are the top three encryptions that most VPN's uses. The issue is, for any system that doesn't use bit locker as its main enryption will be locked out, full scale boot failure. VeraCrypt users will be worst effected and will no longer boot after July 2026.

Might seem harmless aft first, but some of them are open source encryptions. So MS is just trying to shut stuff out. As if MS isn't already in hot water already.

https://www.youtube.com/watch?v=fTui3CQuL9I

[Chips]

Yes, their accounts appear to have been deactivated without warning. It appears they hadn't finished submitting required data with regards to verifying who they are. No idea why, no idea what verification, it sounds like a real ball ache to resolve and especially unnecessarily difficult to get a timely response/escalation over such an important thing.

However, I'm not really interested or concerned.

That's because within about 5s of looking into it, the VP of Microsoft is already in contact with the developer of Veracrypt to help resolve the issue; that's arisen directly from the guy posting online about his experience and people therefore helping shortcut his "how the hell do I talk to a human?" frustrations via using social media to escalate straight up.

Furthermore, it doesn't (from what the guy in the vid say) remotely seem true that people are about to be "locked out" of their computers on X day.

Maybe someone else can explain why that is, as presently, it'd 1) be like reciting a broken record, and 2) posts don't take seconds to write. I'd have spent several hours over the last few days and there are limits. If people don't want to dig further into what they're hearing, then I'm not going to be their proxy to do so. I'm not a "lmgtfy" service.

[matthewfarmery]

I'm not sure, but maybe like an certificate, goes past that date, then your locked out. also, remember, Veracrypt has its own bitlocker alternative.

https://www.reddit.com/r/Windows11/comm ... re_secure/

So, its more of a concern for those that use that alternative, if the dev account is locked, then windows could simply reject it. So, did MS did this out of spite? or is there more going on? plus, of course, if the software does get locked out, it will be a safety hazard in no time.

That is likely why there is a date.