THE BIG PICTURE: The Secure Boot certificates Microsoft originally issued in 2011 for Windows devices are set to expire next month. The company is currently rolling out new Secure Boot keys to eligible devices and has warned that PCs not updated with the latest firmware could become vulnerable to malware and boot-level threats.
In an Ask Microsoft Anything livestream on YouTube, Microsoft Principal Security Engineer Arden White, Principal Software Architect Scott Shell, and Group Engineering Manager Richard Powell answered a range of questions about Secure Boot, including its importance for Windows devices, how to update to the latest version, and what could happen if users fail to do so.
Secure Boot is a Windows security feature designed to protect PCs by preventing malware from loading during the boot process. It establishes a "chain of trust" by verifying the digital signatures of all boot software, including UEFI firmware drivers, EFI applications, and the operating system itself. This ensures that the device boots only with software and services trusted by the PC manufacturer.
With the older 2011 Secure Boot certificates set to expire next month, Microsoft engineers revealed that the company has begun rolling out the new UEFI CA 2023 certificates to all supported devices via Windows Update. They added that all Windows 11 devices manufactured since 2024 are either shipping with the new certificates or have already received the update.
