Secure Boot

Winsage
July 14, 2026
Microsoft released its July 2026 Patch Tuesday cumulative updates for Windows 11, addressing numerous security vulnerabilities and enhancing Secure Boot functionalities. The updates include: - KB5101650 for Windows 11 25H2 and 24H2, updating systems to builds 26200.8875 and 26100.8875. - KB5101649 for Windows 11 26H1, updating devices to build 28000.2525. The release addresses a total of 622 Microsoft Common Vulnerabilities and Exposures (CVEs), including: - 416 vulnerabilities in Windows. - Fixes for Microsoft Office, Edge, Exchange Server, SharePoint Server, SQL Server, Defender, and Azure services. Key vulnerabilities fixed include: - CVE-2026-50661: A BitLocker Security Feature Bypass vulnerability. - CVE-2026-56155: An AD FS Elevation of Privilege vulnerability that has been exploited. - CVE-2026-56164: A SharePoint Server Elevation of Privilege vulnerability. The updates also introduce new Secure Boot certificates, rectify issues from previous patches affecting third-party applications, and incorporate curl 8.21.0 for security improvements. Users are advised to back up data before installation, which requires a system reboot.
Winsage
July 14, 2026
Microsoft has acknowledged that several older Secure Boot certificates have expired, necessitating updates for Windows 10 and 11 users. A temporary halt in the issuance of new Secure Boot certificates affects specific PCs, particularly various HP models. Most PCs will receive updates automatically through Windows Update, but some may require a firmware update from the manufacturer. Users may see messages indicating that Secure Boot certificate updates are paused or blocked due to known issues or hardware/firmware limitations. Until manufacturers like HP release necessary firmware updates, users cannot update their Secure Boot certificates. Although the immediate risk from expired certificates is low, it is expected to increase over time. Devices with un-updated Secure Boot certificates will continue to function normally, but they will not receive new security updates, making them vulnerable to emerging threats. Essential features that rely on updated security measures may cease to function correctly as new security challenges arise.
Winsage
July 13, 2026
Microsoft has blocked Secure Boot updates on certain Windows 11 devices due to complications in transitioning from the 2011 Secure Boot certificate to the 2023 certificate. The rollout of the 2023 certificate has faced challenges, particularly on devices with firmware issues. HP is issuing a BIOS update to help with the installation of the latest Secure Boot certificate, and Microsoft is providing an update for users to verify their Secure Boot status. Users are advised to check for pending Windows updates and consult their OEM’s Secure Boot support page for compatibility information.
Winsage
July 10, 2026
Microsoft has acknowledged that some Windows 11 PCs are facing issues with Secure Boot certificate updates, which may fail to install or be blocked. The company is working with PC manufacturers to develop a patch, while users may need to take proactive measures if their certificates are obstructed. Microsoft has temporarily halted the rollout of Secure Boot for certain devices due to complications, and affected users will receive detailed error messages in the Windows Security app regarding their Secure Boot certificates. Secure Boot certificates issued in 2011 have expired, and Microsoft is replacing them with new certificates issued in 2023. Most modern hardware is already utilizing the new certificates, but some devices may have disabled Secure Boot or faulty firmware. Users can check their Secure Boot status in the Windows Security app. HP has confirmed that Secure Boot updates are being blocked on some of its PCs due to a BitLocker issue, which prevents the installation of new certificates. Microsoft has paused Secure Boot certificate updates for devices affected by known issues while collaborating with manufacturers to identify specific devices or firmware complications. A firmware update will be necessary for affected devices, but it is not yet available. The majority of PCs have received the Secure Boot certificates via Windows Update, but compatibility issues may prevent some devices from receiving the update. Older devices or those not among the OEM’s top-selling models may not receive updates if the UEFI firmware is unsupported. Secure Boot is a security feature required for Windows 11, preventing unauthorized software from executing at boot. While an expired Secure Boot certificate does not stop a PC from functioning, it may limit long-term security protection. Microsoft advises users not to disable Secure Boot, as it would compromise security further.
Winsage
July 4, 2026
Windows 11 allows users to limit RAM usage through the System Configuration tool (msconfig) for testing and troubleshooting purposes. Users can specify the maximum memory in megabytes, but there is no simple option to set a fixed amount like "4GB of RAM." Limiting RAM can degrade performance and may cause applications to become sluggish. To limit RAM, users must navigate to the Boot tab in msconfig, check the Maximum memory option, and enter the desired amount. To restore full RAM access, users need to uncheck the Maximum memory option in the same tool. On some modern systems with UEFI firmware and Secure Boot enabled, the Maximum memory setting may not be accessible, and disabling Secure Boot may be necessary to apply the limit. Disabling Secure Boot can reduce security against boot-level malware.
Winsage
June 29, 2026
Major PC manufacturers, including HP, Dell, ASUS, Lenovo, MSI, Acer, Samsung, LG, and Microsoft’s Surface division, have provided guidance on transitioning to new Secure Boot certificates as the expiration of Microsoft’s 2011 certificates approaches. The expiration will occur in three phases: Microsoft Corporation KEK CA 2011 expired on June 24, 2026; Microsoft UEFI CA 2011 expired on June 27, 2026; and Microsoft Windows Production PCA 2011 is set to expire on October 19, 2026. Microsoft has begun rolling out replacement certificates through Windows Update, contingent on OEMs providing compatible BIOS updates. ASUS offers detailed documentation for both consumer and commercial devices, confirming that most users will receive updates automatically. Lenovo provides direct download links for BIOS updates organized by product family and specifies which products will not receive updates. Dell's support article covers its entire product lineup, noting that devices with an End of Service Life before January 1, 2026, will not receive updates. HP outlines a dual-track approach for updates, with specific timelines for commercial PCs. Microsoft's Surface devices receive updates directly from Microsoft, while MSI categorizes guidance based on processor generation for its laptops. Acer emphasizes backing up the BitLocker recovery key and provides a model table for confirmed BIOS release dates. Samsung confirms that all PCs running Windows 10 or 11 will function normally post-expiration, but security updates will cease. LG has released a guide for checking BIOS updates for its PCs. To verify if a PC has the 2023 certificates, users can check the Secure Boot section in Windows Security. A green checkmark indicates successful application, while yellow or red icons indicate pending updates or incompatibility. Microsoft has pushed the certificates to all eligible devices as of June 2026.
Winsage
June 26, 2026
Microsoft has extended its free consumer Windows 10 Extended Security Updates (ESU) program by an additional year, with the new deadline for critical security patches set for October 14, 2027. The ESU program was originally scheduled to end on October 12, 2026. Devices already enrolled in the program will automatically transition to the new date. Approximately 400 million active PCs are unable to upgrade to Windows 11 due to hardware limitations. IDC forecasts a 10% to 20% rise in prices for PCs, tablets, and smartphones through the end of 2026. Third-party solutions, such as unofficial Windows 10 micropatches from security firm 0patch, will be available through 2030.
AppWizard
June 25, 2026
Riot Games has introduced a new feature for its Vanguard anti-cheat system called Vanguard On-Demand, which allows the kernel driver to load only when a Riot game is launched and unload upon exit. This change ends the previous practice of loading the driver at Windows start-up, which has been in place since 2020. The new mode is supported by Windows 11 25H2 and requires specific hardware configurations, including UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU. Approximately 35% of players currently meet these hardware requirements, while around 3% are using incompatible systems. Riot has created a checklist called Vanguard Pre-Check to help players determine if their systems qualify. The percentage of fully secured machines is estimated to be around 34.33% and is increasing monthly. Players whose systems do not meet the criteria will need to make manual adjustments in their BIOS. Vanguard On-Demand mode will be available for players on Windows 11 starting later today. The feature is based on Microsoft’s Runtime Driver Attestation Report, which tracks driver activity since boot and helps ensure no vulnerable drivers have been loaded while Vanguard is inactive. Riot Games has required TPM 2.0 and Secure Boot on Windows 11 since 2020 and has faced criticism for these requirements. Enabling VBS and HVCI may affect frame rates and could disable older peripheral drivers due to Microsoft's vulnerable driver blocklist.
AppWizard
June 25, 2026
Riot Games is updating its Vanguard anti-cheat system to an "on-demand" model, which will only activate during gameplay and stop once the game ends. This change addresses concerns over Vanguard's previous persistent background operation and kernel mode access. Players must meet specific security criteria to use the new feature, including enabling pre-boot security mechanisms and Windows' native protection features. Approximately 35% of players already meet these conditions, while 3% using older hardware will not have access to the on-demand option until they upgrade. Vanguard will continue its current operation for those unable to meet the requirements. The update is influenced by advancements in Windows and PC hardware security and aims to enhance anti-cheat measures while keeping the process optional for most players.
Search