Tag

Secure Boot

All articles tagged with #secure boot

Cap Windows 11 RAM with msconfig for testing, plus caveats
technology6 days ago

Cap Windows 11 RAM with msconfig for testing, plus caveats

Windows 11 can be limited to a fixed RAM amount using the legacy System Configuration tool (msconfig). The guide walks through opening msconfig, Boot > Advanced options, enabling Maximum memory, entering a value in megabytes (e.g., 4096, 8192, 16384, or 32768), and rebooting to reduce the OS memory pool. To restore full RAM, clear Maximum memory and reboot. Note that Task Manager may show less usable RAM due to reserved address space, that Secure Boot can block the option on some machines (temporarily disable it if needed), and that this setting is intended for testing or troubleshooting rather than everyday use since it can significantly impact performance.

Windows 11 Secure Boot certificates roll out to most devices in June 2026
technology26 days ago

Windows 11 Secure Boot certificates roll out to most devices in June 2026

Microsoft’s June 2026 Patch Tuesday update KB5094126 delivers Secure Boot 2023 certificates to a broader set of Windows 11/10 devices, replacing expiring 2011 certificates; home users typically don’t need to act as updates are delivered via Windows Update. You can verify status in Windows Security > Device Security > Secure Boot: green means fully updated, yellow indicates you’re waiting on more compatibility data, and red signals a firmware issue that requires an OEM BIOS/UEFI update. Expect several reboots as the certificates are staged into firmware. A new SecureBoot folder in C:\Windows may appear and should be left alone. Older PCs may take longer; devices with Secure Boot disabled cannot be updated. For IT admins, high-confidence devices auto-update (Intune); others can trigger via registry key AvailableUpdates=5944 or an Intune policy. HP devices had BIOS issues causing BitLocker prompts—update HP BIOS first. Note KEK expires June 24, 2026, with the DB key valid until October 2026; see aka.ms/GetSecureBoot for details.

Windows 11 May 2026 preview update boosts performance and sign-in reliability
technology1 month ago

Windows 11 May 2026 preview update boosts performance and sign-in reliability

Microsoft released the May 2026 non-security preview update KB5089573 for Windows 11 25H2 and 24H2, delivering about 30 changes focused on performance and reliability—faster app launches, smoother Start/Search/Action Center experiences, and improved Windows Hello sign‑in behavior. The optional update can be installed via Windows Update or the Microsoft Update Catalog and upgrades affected devices to builds 26200.8524 (25H2) and 26100.8524 (24H2). Highlights include Shared Audio, improved VM CPU speed readings in Task Manager, better HID battery life and standby power hygiene, and updated Secure Boot certificates as part of a broader security refresh. A related server issue was noted for Windows Server 2016 after a different May 2026 security update.

Microsoft rolls out new Secure Boot keys as 2011 certificates near expiry
technology1 month ago

Microsoft rolls out new Secure Boot keys as 2011 certificates near expiry

Microsoft is replacing its 2011 Secure Boot certificates with new UEFI CA 2023 keys via Windows Update as expiry approaches. Most Windows 11 devices manufactured since 2024 are already updated, while older devices can check compatibility in Windows Security and may require OEM firmware updates. Devices that haven’t updated will still function but lack newer boot-time protections against bootkits and firmware threats, and legacy BIOS-only systems cannot receive the update.

Countdown to Secure Boot: What If You Miss the June 2026 Certificate Update on Windows 11
technology1 month ago

Countdown to Secure Boot: What If You Miss the June 2026 Certificate Update on Windows 11

Microsoft explains that the original Secure Boot certificates (2011) expire in June 2026 and will be replaced by 2023 certificates through a phased CFR/LCU rollout. Legacy BIOS devices won’t be updated, and Secure Boot must be enabled; the process may involve several reboots and resealing BitLocker keys. If you ignore the deadline, Windows will boot but security will be degraded because boot-critical updates and DBX revocation lists won’t be applied, potentially blocking future OS upgrades that rely on the 2023 chain. Enterprises should test deployments, monitor Secure Boot status in Windows Security, and plan PXE/boot-manager changes accordingly. Servers require manual intervention, and the 2023 certs are projected to last until 2038 with further shifts toward post-quantum certificates later on.

Legacy Secure Boot certificates set to expire, risking future boot security updates
technology1 month ago

Legacy Secure Boot certificates set to expire, risking future boot security updates

Microsoft’s 2011-era Secure Boot certificates expire in 2026 (June 24 for KEK CA 2011, June 27 for UEFI CA 2011, October 19 for Windows Production PCA 2011). After June 24, devices will still boot but won’t receive new boot-level security updates or patches for boot vulnerabilities unless they’re on updated builds via the 2023 certificate rollout (KB5089549). Some older hardware may require OEM firmware updates to align with the new chain. Check KB5062710 for status and ensure the latest Windows updates are installed; Windows 10 users outside the Extended Security Updates program may have limited remediation paths.”,

technology1 month ago

Windows 11 update blackout traced to January preview, rollback advised

A Windows 11 bug from the January Preview Update has blocked all updates since February for some devices, preventing monthly security patches and Secure Boot certificate updates. Affected systems show update attempts failing with error 0x80010002 due to download timeouts and firewall rules. Microsoft recommends a Known-Issue Rollback (KB5083806 for 26H1 and KB5083631 for 24H2/25H2/Server 2025) to revert the faulty update; IT admins can apply KIR, and home users can try removing the January preview update. With Secure Boot certificates expiring in June, the rollback should be applied promptly to restore updates and security fixes.

Preparing Windows for the June 2026 Secure Boot Certificate Update
technology2 months ago

Preparing Windows for the June 2026 Secure Boot Certificate Update

Secure Boot certificates expire in June 2026. Check if your PC already has updated certificates with a PowerShell check, then install any pending Windows updates and OEM firmware updates. If firmware updates aren’t available, use Microsoft’s registry-based workaround and reboot as directed. Windows 10 users may need Extended Security Updates to receive the update.

Windows 11 April 2026 patch may trigger BitLocker recovery at boot, with fixes available
technology2 months ago

Windows 11 April 2026 patch may trigger BitLocker recovery at boot, with fixes available

Microsoft’s April 2026 Windows 11 security update KB5083769 can cause a BitLocker recovery prompt on first restart for a small subset of devices with a specific TPM/PCR7/Secure Boot configuration. It is not widespread. If you hit it, enter the BitLocker recovery key to boot, then undo the “unrecommended” TPM validation by setting the policy Configure TPM platform validation profile for native UEFI firmware configurations to Not Configured and running gpupdate /force; you can also temporarily disable and re-enable BitLocker on the OS drive to rebind to the default PCR profile. Enterprises can use Known Issue Rollback if needed. Future restarts should proceed normally after the recovery.

Windows 11 Secure Boot 2023 certificates rollout: how to check yours
technology4 months ago

Windows 11 Secure Boot 2023 certificates rollout: how to check yours

Microsoft is rolling out the Windows UEFI CA 2023 Secure Boot certificates to Windows 11 in a phased update (KB5077181). You may see TPM-WMI 1801 logs as the change is staged. To verify, open PowerShell as admin and run: 【System.Text.Encoding】::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'. True means the certificate is present; False means delivery is pending. In Event Viewer, filter System logs for TPM-WMI and look for Event IDs 1808 (certificate applied) and 1034 (Dbx updated). BIOS/firmware updates aren’t required unless your OEM instructs them; these logs are normal staging information during the rollout.

Windows 10 ESU Jan 2026 Update Ditches Old Modem Drivers and Refreshes Secure Boot Certs
technology5 months ago

Windows 10 ESU Jan 2026 Update Ditches Old Modem Drivers and Refreshes Secure Boot Certs

The January 2026 Windows 10 ESU release KB5073724 (Build 19045.6809) arrives for ESU subscribers, removing legacy modem drivers (agrsm64.sys/agrsm.sys and smserl64.sys/smserial.sys) which may affect older modems, while adding new Secure Boot certificates and a WinSqlite3.dll security fix. Most users won’t notice changes, but some legacy modems could stop working after the update. The patch bundles security fixes (roughly 112–114 vulnerabilities, including 3 zero-days, with 57 Elevation of Privilege and other categories) and ESU updates run through October 2026. Downloads are via Settings > Windows Update or the Microsoft Update Catalog for Windows 10 Version 22H2 on x64/ARM-64 with ESU,

Windows 11 January 2026 update fixes NPU battery drain and tightens Secure Boot rollout
technology5 months ago

Windows 11 January 2026 update fixes NPU battery drain and tightens Secure Boot rollout

Microsoft’s January 2026 Patch Tuesday for Windows 11 (KB5074109) is rolling out for 24H2/25H2, fixing a power issue where Neural Processing Units could stay on idle and enabling a phased rollout of new Secure Boot certificates. The update also addresses networking fixes in WSL, Azure Virtual Desktop RemoteApp issues, removes certain modem drivers, and updates WinSqlite3.dll.

Microsoft Patches 114 Flaws in January 2026 Update, One Exploited in the Wild
technology5 months ago

Microsoft Patches 114 Flaws in January 2026 Update, One Exploited in the Wild

Microsoft released its January 2026 security update, fixing 114 vulnerabilities (8 critical; 106 important), including one actively exploited in the wild: CVE-2026-20805 in Desktop Window Manager that could disclose memory details via ALPC. CISA has added this to KEV with a February 3 patch deadline for federal agencies. Other notable fixes include a Secure Boot certificate-expiration bypass (CVE-2026-21265), removal of vulnerable Agere modem drivers tied to older CVEs, and a critical VBS Enclave privilege-escalation (CVE-2026-20876). Edge and other vendor patches accompany the update.

security5 months ago

January Patch Tuesday hits with 113 fixes, including an actively exploited DWM zero-day

Microsoft’s January Patch Tuesday rolls out updates for at least 113 vulnerabilities across Windows and supported software, eight rated critical. The standout is CVE-2026-20805 in Desktop Window Manager, which is already being exploited in the wild and can be chained with other flaws. Office remote-code execution bugs CVE-2026-20952/20953 are fixed, while legacy Agere modem drivers agrsm64.sys/agrsm.sys were removed due to exploit activity linked to CVE-2023-31096. A separate critical CVE-2026-21265 exposes a Secure Boot bypass tied to expired root certificates, requiring careful BIOS/bootloader updates. Firefox/Firefox ESR patched 34 flaws including CVE-2026-0891/0892, and Chrome WebView CVE-2026-0628 was fixed; Edge/Chrome updates are expected. Per-patch guidance from SANS ISC emphasizes timely patching and checking for install issues.