CALL US: 01292 811 810

Secure Boot Certificate Expiry

  1. Home / Blog / Secure Boot Certificate Expiry

    Secure Boot Certificate Expiry

    Matters More Than You Think

    After more than 15 years in service, the original Secure Boot certificates are approaching the end of their planned lifecycle.
    If your Windows PC or laptop was born after 2012, chances are it has secure boot enabled. But what is it? Secure Boot is a built-in protection that ensures your computer only starts with trusted software, helping prevent malware or tampering during start-up. The trust is based on a certificate. And the certificate will expire in June 2026.

    "What Happens When The Certificate Expires"
    Devices without the updated certificate will start, but they lose a key layer of protection and won’t be able to benefit from new security features that protect the system as it starts up. Over time, newer versions of operating systems, firmware, hardware, or software that rely on Secure Boot may fail to load.

    "So How Do I Update?"
    In most cases, supported versions of Microsoft operating systems will receive the new certificate through the monthly update process e.g. via the much loved Patch Tuesday events. But the change to the secure boot certificates and database during the process can be interpreted as a tampering 'event'. Something that Secure Boot is there to protect against. Which may in turn trigger a BitLocker recovery prompt.

    So be sure to have those recovery keys to hand in the next few months.

     

     

     

     

    "Wait! Hang On! Recovery Key? BitLocker?"
    BitLocker is a security feature that locks the data on a device so that only someone with the right sign-in details can access it. For example, if a laptop is lost/stolen, the information on it stays protected because the drive is encrypted and unreadable to anyone else. The drive can't just be transplanted into another machine without 'unlocking' it using a unique recovery key.

    "That's Okay. I Don't Use Bitlocker."
    Ah... If your PC or laptop was purchased over the last decade from one of the large manufacturers (Dell, HP or Lenovo) and you've signed into a Microsoft cloud account, chances are it has enabled BitLocker in the background. And not informed you. Smaller businesses without internal IT support staff or an outsourced IT management resource are more likely to be 'surprised' by this security feature, as they don't tend to have an automated deployment of BitLocker, or a method of collecting and storing the recovery keys.
    I'll follow this up with a separate post going into more detail on BitLocker.

    "So What Do I Do?"
    To see if BitLocker is enabled:
    manage-bde -status

    To confirm the new certificate is active:
    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

    If you need more information, or assistance auditing devices, get in touch.