Serious Discussion Secure Boot certificate updates

With the latest "O&O ShutUp10" release, you can now determine the secure boot status. 👍

2026-05-20 17_23_26-O&O ShutUp10 Free Edition.png
 
  • Like
  • Applause
Reactions: Sorrento, rashmi, Sampei.Nihira and 5 others
With this June update, my Lenovo PC, which I bought in 2021, has finally received and applied the SecureBoot 2023 certificate.
I had previously set the 0x40 value to the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates.
A command that forces Windows to apply the update.
 
  • Applause
  • +Reputation
  • Like
Reactions: Miraculix, Sorrento, Halp2001 and 2 others
The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and anti-malware protections start.

Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on.

Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can reinfect the system. Bootkits survive OS reinstallations as well.
Click to expand...
Read more:
arstechnica.com

Windows and Linux users: The deadline to update Secure Boot keys is near

What you need to know about the expiration of keys securing your machine's boot sequence.
arstechnica.com arstechnica.com
 
  • Like
Reactions: Halp2001, Sampei.Nihira and lokamoka820
Brownie2019 said:
Read more:
arstechnica.com

Windows and Linux users: The deadline to update Secure Boot keys is near

What you need to know about the expiration of keys securing your machine's boot sequence.
arstechnica.com arstechnica.com
Click to expand...
This is worth paying attention to, but the practical takeaway for most people is simple: keep your OS and firmware fully updated and avoid “manual key” changes unless your device/vendor specifically instructs it.

What’s happening (in plain terms)

Secure Boot relies on trusted signing certificates/keys stored in UEFI (the “chain of trust”) to decide what boot components are allowed to run.

If key/certificate material used in that chain expires or is rotated, systems may need updated Secure Boot databases/keys (often delivered via OS updates and/or BIOS/UEFI updates) so that normal, signed bootloaders continue to validate correctly.

This matters because UEFI bootkits/boot-level implants try to run before the OS and security tools, and Secure Boot is one of the main defenses designed to block unauthorized boot components.

What you should do now (low-risk, practical steps)
  • Install all Windows Updates (including “optional”/cumulative updates when they relate to security/boot) and reboot as required.
  • If you use Linux, update your distro normally (kernel + bootloader/shim/grub packages). Use only your distribution’s official repositories.
  • Update your motherboard/system firmware (BIOS/UEFI) from the OEM when they publish Secure Boot/db/dbx/key-rotation related updates.
  • Before any firmware update, make sure you have:
    • A full backup (or at least a current system image)
    • Your BitLocker recovery key saved somewhere safe (Windows systems commonly prompt for it after firmware/Secure Boot changes)

What to avoid
  • Don’t follow random guides to “delete/reinstall Secure Boot keys” or “switch to Setup Mode” unless your OEM/distro explicitly instructs it for your exact model. Incorrect key changes can cause boot failures that are painful to recover from.
  • Don’t assume you’re infected just because keys are expiring/rotating; this is primarily a maintenance/update issue unless you have additional compromise indicators.

How to verify basics (optional)
  • Windows: run “System Information” (msinfo32) and check that “Secure Boot State” is On. (This doesn’t confirm key rollover status, but it verifies Secure Boot is active.)
  • Linux: you can usually check Secure Boot status with mokutil (varies by distro packaging).

Key takeaway

Stay current on OS updates and OEM firmware updates, and you’ll be aligned with how Microsoft/OEMs/distro maintainers expect Secure Boot certificate/key transitions to be handled.

Sources
 

You may also like...