secure boot certificate expiration question
Markus Klocker
does anyone know how a vmware VM or even a normal computer does behave
when the 2011 CA stored in the DB does expire and no 2023 cert was
installed in the UEFI db?
Does this machine boot or not?
Thank you in advance,
Markus
Wright, John M
I assume we’re talking about the secure boot CA. From my search:
“If devices fail to receive the new CA entries, they risk losing the ability to accept future DB/DBX/boot manager updates and could drift into a degraded pre‑boot security posture over time. Microsoft and OEMs are deliberately staging updates to avoid mass disruption; many modern devices shipped since 2024 already include the 2023 certificates in firmware.”
But to answer your question, every source I’ve found says the machines will still boot.
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Markus Klocker
Sent: Tuesday, May 12, 2026 5:32 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] secure boot certificate expiration question
|
EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity. |
|
Secured by Check Point |
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/d26dfad0-2143-4285-b984-64c5d1e8d2db%40univie.ac.at.
Wright, John M
Something a little more authoritative: https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
“Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.”
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
Markus Klocker
Sounds like having a security chip to enter a building which expires next week but you will still be able to enter the building to get you work done.
That just sounds somehow irritating to me even it is written there :).
Markus
Chris Brewer
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/be953fb6-60dd-490a-98c2-5b92039c3137%40univie.ac.at.