discussion the new (latest anyhow) Windows PC apocalypse is nigh!!!

[Marzipan]

on June 2026 the Secure Boot certificates Microsoft issued in 2011 will expire. most Windows 11 systems will be fine, but if your PC is running Windows 10, there are a whole bunch of concerns to address.
1) if your system is 2017 or newer, you may get an update but need to check your PC vendor or motherboard maker to see if they issued one.
2) if they did issue one, the update won't work unless your Win 10 PC is enrolled in the Extended Security Update program.
3) If your PC is from 2016 and older, you're probably SoL,...but disabling Secure Boot in the BIOS should work, but opens a whole different can of worms regarding PC security.

Secure Boot Certificate Refresh: Windows 11 2023 CA Rollout Ahead of 2026 Expirations

Microsoft has quietly begun a platform-level refresh of the cryptographic anchors that protect Windows’ pre‑boot environment, delivering new Secure Boot certificates through Windows Update and coordinated OEM firmware work to head off a calendar‑driven failure when Microsoft’s original UEFI...

windowsforum.com

Secure Boot Certificate Refresh: Windows 11 2023 CA Rollout Ahead of 2026 Expirations

Microsoft has quietly begun a platform-level refresh of the cryptographic anchors that protect Windows’ pre‑boot environment, delivering new Secure Boot certificates through Windows Update and coordinated OEM firmware work to head off a calendar‑driven failure when Microsoft’s original UEFI...

windowsforum.com

 

[moocow]

Hmm so if you don't get a BIOS update for your board, you are screwed if I'm reading it right?

 

[JD]

I think PCs have become much like a phone, you get about 5 years of updates, and then you should be considering a replacement if you want to maintain security features.

Doesn't sound like this "kills" your PC by any means though, it'll still boot, just basically without secure boot.

 

[Shadowarez]

Linux doesn't need this other OS let's you boot up CachyOS and it works like a dream this is the final nail to drive ppl into Linux waiting Arms.

 

[anabioz]

Linux doesn't need this other OS let's you boot up CachyOS and it works like a dream this is the final nail to drive ppl into Linux waiting Arms.

Are you using secureboot in linux?

$ sudo mokutil --sb-state

 

[gingerbee]

So they seem to be rolling out since April, now I am trying to make sure I can update it manually. I dont use secure boot on most of PC but my one PC that I use my vpn and VR pc stuff IE trying out different OS and apps, so I would like to have that extra level but not really sure I need it. I would also just like to know how to do this if nee me.

Just wondering if anyone has tried this method.

Method 2: Force Update via PowerShell
If the update does not apply automatically, you can force it: [1, 2, 3]

1. Search for PowerShell in the Start Menu, right-click it, and select Run as Administrator.
2. Run this command to tell Windows an update is available:
   reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0X5944 /f
3. Run the following command to trigger the update:
   Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
4. Restart your computer.
5. After rebooting, open PowerShell as admin again and run the Start-ScheduledTask command one more time to ensure it is applied

Seems to make sense, and will give it a shot soon, lol.

 

[gingerbee]

OK, while I was looking into this, my Windows 11 PC got the update from MS. If I confirm the certificates are updated through PowerShell, it says true IE they are updated, but when I check though device security I get the green check mark but still says using old certificates.

I am thinking this may just be a cache error, time will tell lol.

I do wonder, how many people who don't use a pc for work are actually making sure the secure boot feature is updated ???