Tag: Microsoft Secure Boot

  • Microsoft Autopatch adds Secure Boot report to block boot loops

    Microsoft Autopatch adds Secure Boot report to block boot loops

    Key Takeaway

    – Microsoft’s new Secure Boot status report uses live hardware telemetry, not just policy checks, to verify readiness.
    – The report sorts managed devices into five statuses: High confidence, Under observation, No data observed, Temporarily paused, and Not supported.
    – Machines marked High confidence automatically receive new UEFI CA 2023 certificates; Temporarily paused devices are blocked due to known firmware conflicts.
    – Admins can monitor device status via a dedicated Certificate status column in the Windows quality updates tab within Intune.
    – Locally, Event IDs 1808 (success) and 1801 (failure/block) in the System Event Log help IT teams identify and fix compatibility issues before the June deadline.

    Microsoft rolled out a Secure Boot status report for Windows Autopatch to keep corporate PCs from crashing ahead of a major firmware deadline. The update deals with expiring Third-Party UEFI Certificate Authority keys. If enterprise machines do not get the new Windows UEFI CA 2023 certificates before the June cutoff, they risk failing to boot or getting stuck in BitLocker recovery loops.

    Live Telemetry Integration

    Rather than just checking if a policy reached a PC, Autopatch now uses live hardware telemetry to verify actual readiness. This gives sysadmins a realistic view of how their machines are handling the firmware migration before Microsoft triggers automated enforcement.

    Status Grouping in Intune

    Found inside the Microsoft Intune admin center, the new report automatically groups managed hardware based on live system data. It sorts endpoints into five distinct statuses: High confidence, Under observation, No data observed, Temporarily paused, and Not supported.

    This sorting allows Autopatch to handle updates without breaking systems. Machines marked High confidence get the new certificates automatically through standard Windows Update paths. If a computer shows up as Temporarily paused, it means there is a known hardware or OEM firmware conflict, telling the system to hold off until a stable BIOS patch drops.

    Dashboard Metrics Access

    Admins can access these metrics under the Windows quality updates tab in Intune, which now features a dedicated Certificate status column. Devices here are labeled as Up to date, Not up to date, or Not applicable. Note that it takes about 12 hours after a reboot for local client diagnostics to update on the cloud dashboard.

    Local Event Log Checks

    To check a specific computer on the ground, techs can jump straight into the local Windows System Event Log. Look for Event ID 1808, which confirms the hardware successfully applied the new 2023 certificates to the firmware. If the deployment fails or is blocked, the machine logs Event ID 1801 instead.

    Tracking these error events early allows IT teams to pinpoint compatibility blocks and apply necessary OEM firmware fixes before the hard June deadline triggers a sudden boot failure across the company.

    Sources
    Tags: , , ,
  • Windows Secure Boot 2026: Microsoft Warns of Expiring Certificates

    Windows Secure Boot 2026: Microsoft Warns of Expiring Certificates

    Key Takeaways

    1. Microsoft is rolling out a new Secure Boot certificate chain, replacing the original 2011 certificates that will expire starting June 2026.

    2. Firmware readiness is crucial; devices not updated to accept the new certificates may enter a “degraded security state,” losing access to future boot and security updates.

    3. Windows updates after February 13, 2024, will add the new 2023 certificates to the UEFI Secure Boot database, necessary for future updates.

    4. Vendor policies are significant; some devices may require firmware updates from their manufacturers to apply the new certificates correctly.

    5. Windows 10 users face pressure to upgrade, as support will end on October 14, 2025, meaning devices running unsupported Windows versions won’t receive updates, impacting Secure Boot transitions.

    Microsoft has begun the rollout of a new Secure Boot certificate chain that Windows will require as the original 2011 certificates start to expire in June 2026. Notebookcheck recently reported on Microsoft’s warning and the early rollout signals that have appeared in recent cumulative updates. The next steps focus more on the readiness of firmware rather than Windows itself.

    Firmware Readiness is Key

    If your computer’s UEFI firmware isn’t ready to accept and keep the new 2023 certificates, Windows Update might try to make the switch but could leave the device in what Microsoft calls a degraded security state. This means that future security updates related to booting may not apply properly.

    The original Secure Boot trust anchors from Microsoft, which date back to 2011, are set to expire starting on June 24, 2026, with other expirations happening later that year. Dell has provided a clear timeline, noting that the first certificate expiration is for the Microsoft Corporation KEK CA 2011 on June 24, followed by the Microsoft Corporation UEFI CA 2011 on June 27, and another significant certificate expiring on October 19, 2026, which is associated with Microsoft Windows Production PCA 2011.

    Important Transition Details

    Various vendors are emphasizing the same critical point: while systems are expected to continue booting, devices that do not upgrade to the 2023 certificate chain may lose the ability to obtain future bootloader and Secure Boot updates. This is where Microsoft’s mention of “degraded security” comes into play.

    The necessary technical support is already included in supported versions of Windows. According to Microsoft’s KB5036210, Windows updates released on or after February 13, 2024, will include the ability to add the Windows UEFI CA 2023 certificate to the UEFI Secure Boot Allowed Signature Database (db). Updating the db will be crucial for receiving future boot loader updates during monthly updates.

    Microsoft has stated that “most personal Windows devices” should receive the new certificates automatically through Microsoft-managed updates. However, it also warns that some devices may need an OEM firmware update to correctly apply the new certificates.

    Vendor Firmware Policies Matter

    This is where the policies of vendors become more important than many home users realize. Dell’s Secure Boot Transition FAQ makes a distinction between the Active Secure Boot database (which the system enforces during boot and is frequently modified by Windows Update) and the Default Secure Boot database (the factory reset state, typically updated via BIOS flashing). Dell also cautions that certain firmware actions, such as toggling “Expert Key Mode,” could erase Active variables that were set by Windows Update if the Default database has not been updated correctly.

    The same Dell document explains a “dual certificate strategy,” indicating that the company began shipping both 2011 and 2023 certificates on new platforms launched in late 2024, and has expanded this strategy across existing platforms by the end of 2025.

    Lenovo similarly advises that the fix for commercial PCs involves a BIOS update to add the 2023 certificates to the default Secure Boot variables, and additional steps may be needed to activate these variables on systems that are not already configured. It also mentions BitLocker recovery as a potential issue, which is why backing up recovery keys before firmware changes is a wise move.

    Other Vendor Actions

    HP has also been collaborating with Microsoft to prepare Secure Boot-enabled products for the new certificates and warns that certificate expiration could hinder systems from receiving Secure Boot and Windows Boot Manager security updates, thus increasing vulnerability to bootkit threats.

    ASUS stands out as one of the few consumer-oriented vendors that has published a detailed step-by-step guide for this transition. This guide includes instructions on how to check if the new 2023 entries are in the firmware and what steps to take if they are missing.

    In its FAQ, ASUS elaborates on how to navigate UEFI Secure Boot key management and verify that the KEK includes “Microsoft Corporation KEK 2K CA 2023” and that the db contains “Windows UEFI CA 2023” along with other 2023 Microsoft entries. It also outlines remediation steps like “Install Default Secure Boot Keys” or “Restore Factory Keys” after a BIOS update, which effectively refreshes the key databases from the firmware’s default store.

    This situation often impacts DIY systems the hardest: Windows can provide updates, but motherboard firmware can still need manual adjustments before the new keys are active and recognized.

    For IT Managed Systems

    For IT-managed fleets, Microsoft’s Secure Boot playbook provides clear indicators to monitor.

    Microsoft states that a successful deployment can be confirmed by checking Windows System Event Log for Event ID 1808. If there are failures in applying the updated certificates, this is linked to Event ID 1801. The playbook also points to the UEFICA2023Status registry key, which should ultimately read “Updated.” Moreover, the UEFICA2023Error key should not be present unless there is an outstanding error.

    The playbook also recommends applying OEM firmware updates before Secure Boot-related Windows updates if your organization has identified issues or if your OEM suggests a BIOS update, reinforcing the idea that the Windows aspect is only part of the overall picture.

    Implications for Windows 10 Users

    Lastly, the certificate refresh adds pressure on those still using Windows 10. Microsoft’s own support documentation indicates that support for Windows 10 ended on October 14, 2025, and positions Windows 10 Extended Security Updates (ESU) as the paid route for users wanting to continue receiving security updates post that date.

    Microsoft’s Secure Boot guidance stresses that devices running unsupported versions of Windows will not get Windows updates, which ties the Secure Boot transition directly to remaining on a supported servicing path (or ESU for Windows 10, where applicable).

    Source:
    Link

     

    Tags: , ,