boot process Archives

Winsage

March 7, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011, embedded in the motherboard's firmware, to ensure a secure boot process. The first of these certificates will expire on June 24, 2026, which will affect the ability to receive future security updates for critical components of the Windows startup process. Microsoft is rolling out replacement certificates through Windows Update, marking a significant security maintenance effort. Secure Boot operates as a chain of trust with certificates stored in the motherboard's UEFI firmware, validating software before the operating system loads. The Platform Key (PK) is at the top of this chain, followed by the Key Exchange Key (KEK) and the Signature Database (DB). The replacement certificates introduced in 2023 restructure certificate management, separating responsibilities among different certificate authorities to enhance the trust model. Not all PCs are affected by the upcoming expiration; newer devices manufactured since 2024 already have the new certificates. Windows 10 users face challenges as support for this version ends in October 2025, and they will not receive the new certificates unless enrolled in Extended Security Updates. Home users should ensure their PCs are set to receive updates automatically, while enterprise environments require coordination for firmware updates before the Windows certificate update.

Winsage

March 6, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011 for boot process integrity. The first of these certificates will expire on June 24, 2026, impacting the ability to receive future security updates. Microsoft is rolling out replacement certificates through Windows Update, requiring collaboration between Microsoft, PC manufacturers, and users. Three critical certificates will expire: the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 in June 2026, and the Microsoft Windows Production PCA 2011 in October 2026. The new certificates introduced in 2023 have a restructured functionality to enhance security. Not all PCs are affected; newer devices manufactured since 2024 come with the new certificates. Windows 10 users face challenges as support ends in October 2025, and unsupported devices will not receive updates. Home users should ensure automatic Windows updates and check for firmware updates, while enterprise environments must verify firmware updates before applying certificate updates. The first certificate expiration is on June 27, 2026.

Winsage

March 6, 2026

Microsoft finally gets around to fixing Windows 10 Recovery Environment after breaking it in October

Microsoft addressed an issue in the Windows Recovery Environment (WinRE) that arose after the final update for Windows 10 on October 14, 2025, which disrupted WinRE functionality on some devices. The same update also caused accessibility issues for USB devices in Windows 11's recovery environment. Microsoft released an out-of-band patch, but some Windows 10 users continued to experience WinRE problems. The fix, KB5068164, targets Windows 10 versions 21H2 and 22H2 and aims to resolve the issue preventing WinRE from starting after the October 14 update. Concerns about Microsoft's quality control have been raised due to the timing of the failure and the delay in providing a solution. Users of Windows 10 can rely on Microsoft's Extended Security Updates program, although the situation has caused doubts about the reliability of Microsoft's updates.

Winsage

February 19, 2026

Windows 10 ESU update KB5075912 bumps 22H2 to Build 19045.6937

Microsoft has announced an update, identified as KB5075912, regarding Secure Boot certificates to enhance device security for Windows users. Key points include the introduction of new certificates to prevent unauthorized software during startup, improved compatibility with various hardware configurations, and a commitment to provide regular updates to these certificates.

Winsage

February 17, 2026

Microsoft Windows 11 KB5077181 Update Triggers Infinite Restart Loop on Some Devices

Microsoft's Patch Tuesday update, KB5077181, released on February 10, 2026, has caused significant boot failures for users of Windows 11 versions 24H2 (OS build 26200.7840) and 25H2 (OS build 26100.7840), resulting in endless restart loops. Users are reporting over 15 reboot cycles, preventing access to their desktops. Issues include System Event Notification Service (SENS) errors and DHCP problems affecting internet connectivity. Installation errors with codes 0x800f0983 and 0x800f0991 indicate potential hardware, driver, or servicing stack incompatibilities. The update was intended to address 58 vulnerabilities, including six zero-days, but the boot loop issue has overshadowed these enhancements. CVE IDs and their CVSS scores related to the vulnerabilities addressed include: - CVE-2026-21510: 7.5 - CVE-2026-21519: 7.8 - CVE-2026-21533: 8.8 - CVE-2026-20841: 7.1 As of February 15, 2026, there is no "known issues" entry in Microsoft's release notes despite user reports. Users can uninstall the update through the Control Panel if their systems are accessible, or use the Windows Recovery Environment to execute commands for uninstallation if their systems are unbootable.

Winsage

February 16, 2026

Windows 11 KB5077181 Security Update Causing Some Devices to Restart in an Infinite Loop

Microsoft's security update KB5077181, released on February 10, 2026, for Windows 11 versions 24H2 and 25H2, has caused critical boot failures, leading to infinite restart loops for users. The update addresses 58 vulnerabilities, including six zero-day exploits, and introduces new Secure Boot certificates. Users have reported errors such as “a specified procedure could not be found” and DHCP failures, with installation errors like 0x800f0983 and 0x800f0991 affecting specific hardware. To resolve issues, users are advised to uninstall the update and pause Windows Update. Accessing the Windows Recovery Environment may also be necessary for persistent boot loops. While some users experienced improvements, the overall instability highlights risks associated with updates. Microsoft has not acknowledged any known issues related to this update as of February 15.

Winsage

February 15, 2026

Microsoft Refreshes Secure Boot Certificates via Windows Update

Microsoft will begin rolling out new Secure Boot certificates through Windows Update starting in March 2026, coinciding with the expiration of original certificates from 2011, which will phase out in June 2026. The new certificates include Microsoft Corporation KEK 2K CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, and Windows UEFI CA 2023. Not all Windows users will receive the update simultaneously; eligibility will focus on high-confidence devices with strong update histories. Newer PCs sold from 2024 will already have the 2023 Secure Boot certificates, while some devices may require additional firmware updates from their OEMs. PCs that do not receive the new certificates will still boot but will operate with diminished security, increasing vulnerability to exploits and compatibility issues with anti-cheat software and future Windows versions. Users on unsupported Windows versions will not receive the new certificates, leading to heightened security risks after June 2026.

Winsage

February 13, 2026

Microsoft Introduces New Secure Boot Certificates Before June Deadline

The foundational security certificates supporting Windows Secure Boot, introduced in 2011, will expire in mid-2026, specifically in June and October. Microsoft and PC manufacturers are updating the Windows ecosystem to address this. Devices that do not receive updated certificates may face security limitations and compatibility issues with newer operating systems and hardware. The transition is described as a "generational refresh" of the trust infrastructure for Windows. Systems failing to update will still function but may enter a "degraded security state," unable to install new security mitigations or newer operating systems. Most users will receive updates automatically through Windows Update, while older systems may require manual intervention. Systems at risk include those running unsupported Windows versions, with Secure Boot disabled, or not enrolled in Extended Security Updates. Users should check their Secure Boot status using PowerShell commands to ensure they are using the new certificates. The update affects not only Windows PCs but also other devices utilizing UEFI Secure Boot.

Winsage

February 11, 2026

Refreshing the root of trust: industry collaboration on Secure Boot certificate updates

Secure Boot is a security feature in Windows and Windows Server that protects devices from untrusted software at startup. It has been in operation since 2011 and relies on certificates embedded in a PC’s firmware. The original Secure Boot certificates will begin to expire in late June 2026. New certificates are being rolled out through regular Windows updates for supported devices, with OEMs preparing new devices with updated certificates since 2024. If devices do not receive the new certificates before the expiration of the old ones, they will continue to function but will enter a degraded security state, limiting future protections. Users generally do not need to take action, as updates will be installed automatically, but some specialized systems may require separate firmware updates. Organizations can monitor the update status through the Windows Security App and should ensure devices are running the latest updates and firmware. Support is available for individuals and organizations facing issues during the update process.

Winsage

February 10, 2026

Microsoft is keeping Secure Boot alive with Windows updates

Microsoft is enhancing the security of Windows devices by replacing boot-level security certificates that are nearing expiration, with this initiative integrated into regular Windows platform updates. The original Secure Boot certificates from 2011 will expire between June and October 2026, prompting Microsoft to issue new certificates in 2023, which are included in many new Windows devices sold since 2024. Older hardware will require updates to remain compliant. Devices with expired certificates will continue to operate but will enter a "degraded security state," potentially hindering future updates and causing compatibility issues. The new Secure Boot certificates rollout began with the Windows 11 KB5074109 update. Most Windows 11 users will have the new certificates installed automatically, while specialized systems may have different update protocols. Windows 10 users must enroll in Microsoft’s Extended Security Updates to receive the new certificates.