GoKawiilThe original Unified Extensible Firmware Interface (UEFI) Secure Boot certificates for Windows will start expiring in late June. Microsoft urged IT and security leaders to apply updated certificates to all Windows PCs made before 2024 to ensure they continue receiving security updates.
Microsoft added Secure Boot to Windows nearly 15 years ago as a feature of the Unified Extensible Firmware Interface (UEFI), the software that starts a PC before Windows launches. Secure Boot checks that only properly signed and approved firmware, such as operating system loaders, device drivers, and boot servers, is loaded at startup. Because it acts as the hardware-based root of trust for the computer, Microsoft refers to it as the Windows operating system's "foundational trust anchor."
To further guard against UEFI Bootkits, a type of highly privileged malware such as BlackLotus, FinSpy and MoonBounce, Secure Boot loads before the operating system bootloader. This process prevents malicious software from loading at startup, before the operating system starts.
Related:Two-Factor Authentication Breaks Free from the Desktop
"It verifies the cryptographic signatures of boot components against a database of authorized keys, blocking unauthorized or tampered software to protect system integrity from the earliest stages of boot," wrote Richard Hicks, president of Richard M. Hicks Consulting, based in Rancho Santa Margarita, Calif.
Additionally, all PCs designed for Windows 10 and Windows 11 include Secure Boot support. These devices originally shipped with the 2011 Microsoft Secure Boot certificates, while newer ones manufactured in the last two years have the updated 2023 certificates. Older systems configured for automatic patching — typically those that are personally owned or used by small businesses — are most likely using the updated 2023 certificates.
In enterprise environments, however, Windows updates are usually not automated. Instead, they are applied in a staged manner to maintain system and application stability. While the new Secure Boot 2023 update does not introduce major feature changes, Microsoft says the new certificates improve the root of trust and allocates tasks more efficiently.
The new certificates also use cryptographic tools to sign software and last longer, which Microsoft says provides improved certificate authority (CA) segmentation. This was designed to let Microsoft and PC manufacturers continue securely updating and monitoring the boot process.
Nuno Costa, a program manager on Microsoft's Windows service delivery team, recently described the Secure Boot refresh as one of the largest coordinated security maintenance efforts across the Windows ecosystem. "The Secure Boot certificate update marks a generational refresh of the trust foundation that modern PCs rely on at startup," Costa wrote in a blog post.
Related:CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry
... continue reading