Microsoft is updating the digital certificates powering Windows’ Secure Boot software-verification feature, an ambitious effort to maintain the security of more than one billion devices worldwide.
Secure Boot, which prevents unsigned software from executing at startup, relies on security certificates stored in the device’s firmware. The original certificates, issued in 2011, are expiring in June after more than 15 years of use.
“As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection,” Nuno Costa, a program manager on Microsoft’s Windows Servicing and Delivery team, wrote in a blog post on Tuesday. “Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations.”
The scale of the Windows user base — which spans personal computers, business servers, industrial equipment and Internet of Things devices — makes the update a high-stakes process for Microsoft.
While modern computers will automatically receive the new certificate through a monthly Windows update, any machine running an unsupported version of Windows will not. In addition, some specialized systems, such as Internet of Things devices and equipment used in critical infrastructure environments, may have custom update processes and, thus, require manual intervention.
“For a fraction of devices, a separate firmware update from the device manufacturer may be required before the system can apply the new Secure Boot certificates delivered via Windows Update,” Costa wrote. “To prepare, we recommend that customers check their OEM support pages to ensure they have the latest firmware updates.”
The Windows Security app will soon begin displaying information about the status of a machine’s Secure Boot certificate.
Important cybersecurity milestone
Microsoft hailed the Secure Boot update as “a generational refresh” of Windows’s core “trust foundation.”
“By blocking untrusted code at the earliest stage of the boot process,” Costa wrote, “Secure Boot helps defend against sophisticated threats that can be difficult to detect later.”
Microsoft said it appreciated the help of device makers and firmware developers in rolling out the certificate refresh. Costa said the work involved “proactive planning, transparency and providing the visibility, tools and guidance customers need to navigate the transition with confidence.”
