NewApp Digest
search bot

SecureBoot

Your Windows PC has a security deadline in June 2026
Winsage
May 28, 2026

Your Windows PC has a security deadline in June 2026

A Secure Boot certificate refresh is being deployed across supported Windows devices via Windows Update. The Secure Boot certificates from 2011 will begin to expire in June 2026, prompting Microsoft to introduce new 2023-dated certificates to maintain security. Most users will require minimal action if their PCs are updated, but older devices may face challenges. The current certificates include: - Microsoft Corporation KEK CA 2011: expires June 24, 2026 - Microsoft UEFI CA 2011: expires June 27, 2026 - Microsoft Windows Production PCA 2011: expires October 19, 2026 The new certificates will remain valid until 2038, with plans for post-quantum cryptography around 2030. While PCs using the 2011 certificates will continue to function, they will lose access to new security protections, making them vulnerable to emerging threats. A notable example of such a threat is the BlackLotus bootkit, which exploited vulnerabilities to bypass Secure Boot. Microsoft's rollout strategy involves a staged update process that typically takes around 48 hours and may require restarts. Users are advised to keep Windows updated and check their Secure Boot status. Known issues may arise for older PCs, systems that bypassed Windows 11 requirements, Legacy BIOS systems, and custom firmware configurations. IT teams managing devices should inventory their systems, monitor specific event IDs, test updates, and document devices that cannot be updated.
Windows Server 2016 Update: Disastrous Bug Breaks AD
Winsage
May 28, 2026

Windows Server 2016 Update: Disastrous Bug Breaks AD

Microsoft released a mandatory patch (KB5087537) for Windows Server 2016 to enhance cryptographic layers and address critical vulnerabilities. This update is essential for organizations using legacy workloads, as mainstream support ended in January 2022, but extended support continues until January 12, 2027. The patch aims to prepare systems for the expiration of Windows Secure Boot certificates in June 2026, which, if not updated, could compromise security and expose systems to malware. The update uses a phased deployment model and includes a new SecureBoot folder to assist IT professionals in managing certificate status. It also addresses various quality-of-life issues, including bugs affecting Remote Desktop Connection and authentication errors with Microsoft services. However, a significant issue arises when the host server name is exactly 15 characters long, causing failures in the domain controller discovery process and obstructing critical operations. This bug is linked to the historical 15-character limit of NetBIOS, which affects the Active Directory lookup mechanism. Microsoft has acknowledged the issue but has not provided a timeline for a fix, leaving administrators to either rename servers or uninstall the update. As the Secure Boot deadline approaches, IT departments must carefully assess their environments to avoid disruptions while ensuring security compliance.
Windows 11's new SecureBoot folder isn't malware. Here's what it does
Winsage
May 21, 2026

Windows 11’s new SecureBoot folder isn’t malware. Here’s what it does

Users have observed a new folder named “SecureBoot” in the Windows system folder following the installation of Windows 11's May update (KB5089549). This update may cause installation issues for some devices and introduces a directory that contains example scripts for IT professionals to manage Secure Boot certificate updates. Windows Secure Boot certificates are set to expire next month, and outdated certificates will lead to loss of support starting in June, potentially compromising Secure Boot functionality. Microsoft is distributing new certificates through Windows Update. The SecureBoot folder does not require individual users to take action, and deleting it is discouraged as it may cause complications with future Windows updates.
UEFI BIOS flaws: SecureBoot bypass and firmware replacement possible
Winsage
June 12, 2025

UEFI BIOS flaws: SecureBoot bypass and firmware replacement possible

Recent findings have identified two vulnerabilities in various UEFI BIOS versions from multiple manufacturers, compromising the SecureBoot mechanism. These vulnerabilities allow attackers to bypass SecureBoot protections and replace firmware, particularly in Insyde BIOSes. The issues stem from unprotected NVRAM variables, specifically the "IhisiParamBuffer," which can be manipulated to execute unsigned UEFI binaries. Affected UEFI applications include "DTBios" and "BiosFlashShell" from DTResearch, with a CVSS score of 8.2. Microsoft has added 14 new hashes to its DBX database to mitigate these risks. Additionally, a vulnerability in the Insyde H2O UEFI firmware app allows attackers to infiltrate digital certificates due to the insecure handling of the "SecureFlashCertData" variable, which is incorrectly treated as trusted memory. This flaw, known as "Hydroph0bia," has a CVSS score of 7.8 and enables unauthorized execution of firmware certified with manipulated certificates. Manufacturers are urged to provide firmware updates to address these vulnerabilities, as inconsistent support for locking UEFI variables raises security concerns.
Search