Microsoft has rolled out a significant security update for Windows 10 users, accompanied by an important advisory regarding the impending expiration of Secure Boot certificates. These certificates, which have been in place for 15 years, are set to expire next month, prompting the tech giant to urge users to take proactive measures to ensure their systems remain secure.
Understanding the Update
The latest update, identified as KB5087544, introduces a feature that enables dynamic status reporting for Secure Boot states within the Windows Security App. This enhancement is designed to assist users in monitoring and maintaining the security of their devices as the expiration date approaches. Microsoft emphasizes the importance of reviewing the guidance provided and taking necessary actions to update certificates ahead of the deadline to avoid potential disruptions.
Don’t miss the deadline next month.
SOPA Images/LightRocket via Getty Images
This marks the first instance of Secure Boot certificates expiring since their introduction in 2011. All Windows 10 PCs will require new certificates; however, only those enrolled in the Extended Security Updates (ESU) program will be eligible for the update. PCs outside this program may face risks once the old certificates begin to expire. Additionally, most Windows 11 devices will also need new certificates, with the exception of those purchased within the last two years. These newer devices have been equipped with an updated security app designed to alert users of any issues prior to the June deadline.
Microsoft has issued a cautionary note: failure to install the new certificates could impact the ability of both personal and business devices to boot securely. The update also addresses a specific security warning related to Remote Desktop Connection, which may display incorrectly in multi-monitor setups with varying display scaling settings following the installation of a previous security update.
Another potential outcome of the update is that some devices may prompt users to enter a BitLocker recovery key after restarting. While the number of affected PCs is expected to be limited, it is advisable to have this key readily available. Fortunately, the recovery key will only need to be entered once, as subsequent restarts will not trigger the recovery screen. Users can find detailed instructions on locating their recovery key through Microsoft’s support resources.
The Secure Boot update represents a critical change, and the process of obtaining new certificates is not straightforward. Microsoft has indicated that new certificates will only be issued to devices that demonstrate sufficient successful update signals, ensuring a controlled and phased rollout. To confirm any issues, users are encouraged to upgrade their Windows Security App promptly, maximizing the time available to address any potential concerns. Once the new Secure Boot certificates are successfully installed, users will receive a notification within their security settings.
