Windows 10: How to Obtain Microsoft Secure Boot Certificate?

Shua Levenberg · Jan 20, 2025

I’ve read that Microsoft offers a service to analyze and sign non-Microsoft bootloaders so they’re trusted by all “Certified for Windows” PCs. I’m interested in getting my current Linux bootloader signed. I came across this article describing certain requirements. Does anyone know if these are the complete, exhaustive requirements for bootloader approval? Also, are there any estimates regarding the typical lead times and costs involved in obtaining the certificate? Any guidance or firsthand experience would be greatly appreciated!

:)

Drone · Jan 20, 2025

Microsoft Security Essentials Fails AV-Test Certification

Bad news:

The AV Test Institute, a German IT security and anti-virus research firm, regularly conducts tests on some of the most popular antivirus software products in the market. During its recent test for the months of September and October, it revealed that Microsoft’s very own antivirus software, Microsoft Security Essentials, had failed to pass AV Test’s certification. The interesting part is that the rest of the security products which included AVG, Avast, F-Secure, Bitdefender, and nineteen others, all received certification from the security research firm.
Click to expand...

Microsoft Security Essentials Fails AV-Test Certification | Ubergizmo

Swathi Ravichandran · Jan 20, 2025

security certificate

Hi,

Thank you for posting your query on Microsoft Community.

I would like to know if this issue occur on Different Web browsers too?

I would suggest you to try the following steps, when you access secured website you may get this error message.

1. Open Internet Explorer and verify that the page you are trying to view is listing a certificate error.

2. To clear the certificate error goes to Tools --> Internet Options from the menu of IE 11.

3. Click on the advanced tab and scroll down to the security section. Clear the boxes for: "Check for publisher's certificate revocation" and "Check for server certificate revocation".

4. Click Apply and Ok.

5. Attempt to reload the page by clicking the Refresh button at the end of the address bar or by pressing the F5 key. Your page should now load as expected.

This error can be cause by the SSL certificate of the website – maybe it was not issued by a trusted Certification Authority on the client side. It could even be an attempt to fool you or intercept data you send to the server. Or maybe the certificate has
expired.

I suggest you to refer to the Microsoft help article and check if it helps.

"There is a problem with this website's security certificate" when you try to visit a secured website in Internet Explorer - Microsoft Support

I would suggest you to refer the link below and check if it helps:

Certificate errors: FAQ

Certificate errors: FAQ - Microsoft Support

Hope this information was helpful and do let us know if you need further assistance. We will be glad to assist.

Brink · Jan 20, 2025

Updating Microsoft Secure Boot keys

Windows IT Pro Blog: Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates thatll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024. What is Secure Boot? Secure Boot is a security feature in the UEFI that helps ensure that only trusted software runs during the systems boot sequence. It works by verifying the digital signature of any software against a set of trusted digital keys stored in the UEFI. As an industry standard, UEFIs Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating system (OS) interfaces with this process. For more details on UEFI and Secure Boot, please refer to this article. Secure Boot was first introduced to Windows systems with the Windows 8 release to protect against the emerging pre-boot malware (bootkit) threat at that time. Since then, Secure Boot has continued to be a part of Microsoft's Trusted Boot security architecture. Secure Boot authenticates modules such as UEFI firmware drivers, bootloaders, applications, and option ROMs (Read-Only Memory), which are firmware run by the PC BIOS during platform initialization, before they are all executed. As the final step of the Secure Boot process, the firmware verifies the Windows boot loader is trusted by Secure Boot and then passes control to the boot loader which in turn verifies, loads into memory, and launches Windows. This process coupled with the UEFI firmware signing process helps to ensure that only verified code executes before Windows, preventing attackers from utilizing the boot path as an attack vector. To learn more about how Secure Boot fits in with the overall Windows chip-t-cloud security, please refer to the Windows Security Book RWMyFE. Trust and authenticity in Secure Boot are built using the Public-Key Infrastructure (PKI). This establishes a certificate management system which utilizes CAs to store digital certificates. These CAs, consisting of Original Equipment Manufacturer (OEM) or their delegates and Microsoft, generate key pairs that form the root of trust of a system.

Secure Boot “root of trust”: Setting trust anchors for the future Secure Boots root of trust utilizes a hierarchical system, where the Platform Key (PK) is typically managed by the OEM and used to sign updates to the KEK database. The KEK in turn signs updates to both the Allowed Signature DB and the Forbidden Signature Database (DBX). The Secure Boot Allowed Signature DB and the DBX are integral to the functionality of Secure Boot. Bootloader modules signing authority must be allowlisted by the Secure Boot DB, while the DBX is used for revoking previously trusted boot components. Updates to the DB and DBX must be signed by a KEK in the Secure Boot KEK database. The configuration of Secure Boot DB and KEK for Windows devices has remained the same since Windows 8. Microsoft requires every OEM to include the same three certificates managed by Microsoft for Windows and in support of the third-party hardware and OS ecosystem. These include the Microsoft Corporation KEK CA 2011 stored in the KEK database, and two certificates stored in the DB called the Microsoft Windows Production PCA 2011, which signs the Windows bootloader, and the Microsoft UEFI CA 2011 (or third-party UEFI CA), which signs third-party OS and hardware driver components. All three of these Microsoft certificates expire in 2026. So, in collaboration with our ecosystem partners, Microsoft is preparing to roll out replacement certificates that will set new UEFI CA trust anchors for the future. Microsoft will be rolling out Secure Boot database updates in phases to add trust for the new DB and KEK certificates. The first DB update will add the Microsoft Windows UEFI CA 2023 to the system DB. The new Microsoft Windows UEFI CA 2023 will be used to sign Windows boot components prior to the expiration of the Windows Production CA 2011. This DB update will be optional for the February 2024 servicing and preview updates, and can be manually applied to devices. Microsoft will slowly roll out this DB update as we validate devices and firmware compatibility globally. The full DB updates controlled-rollout process to all Windows customers will begin during the 2024 April servicing and preview updates, ahead of the certificate expiration in 2026. Meanwhile, efforts to update the Microsoft UEFI CA 2011 (aka third-party UEFI CA) and Microsoft Corporation KEK CA 2011 will begin late 2024, and will follow a similar controlled rollout process as this DB update. While Microsoft has frequently performed DBX updates globally since the inception of Secure Boot, this will be the first DB update performed on such a large scale. Were actively collaborating with our OEM partners to identify and address bugs in firmware implementation that could result in unbootable systems or render a device unreceptive to the DB update. To ensure a successful rollout, devices with identified issues will be suspended from receiving the update until a fix is released. Microsoft is taking a very deliberate and cautious approach to rolling out this update. With this DB update, Microsoft will sustain its ability to service all Windows devices boot components. Guidance to manually apply DB update The DB update is available on February 13, 2024, along with manual steps to allow customers to test for firmware compatibility, especially for organizations with fleets of devices. If you would like to manually apply the DB update to validate that your system is compatible, please read the following instructions. These actions should be completed with non-critical hardware representing devices in your environment. Pre-requisite checks Before attempting the DB update, please ensure to perform the necessary pre-requisite checks:

If you intend to manually apply this update to a large group of devices, we advise that you begin by rolling out to individual devices with the same firmware and specifications first to minimize the risks in the case of firmware bugs in your devices.

Please verify that your UEFI firmware version is the most recent available version by your firmware vendor or OEM.

For data backup steps, please refer to this guide.

If you use BitLocker or if your enterprise has deployed BitLocker on your machine, ensure to backup BitLocker Keys:

See this portal to ensure your BitLocker keys are backed up before your next reboot for your selfhost device. In the unlikely event that device becomes inoperable after receiving the update, the hard drive can still be unlocked.

If the keys are backed up, the UI should resemble the following:

If the keys are not backed up, please open Windows Search to search for “Manage BitLocker” and select Back up your recovery key followed by Save to your Azure AD or MSA account.

For users that use a local account instead of an Azure Active Directory (AAD) or Microsoft account (MSA), you can print your recovery password, save to a file, and store it in a secure location. Formal DB update steps

Apply the February 2024 (or later) security update.

Open a PowerShell console and ensure that PowerShell is running as an administrator before running the following commands:

Set the registry key to Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Run the following scheduled task as Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

Reboot the machine twice after running these commands to confirm that the machine is booting with the updated DB.

To verify that the Secure Boot DB update was successful, open a PowerShell console and ensure that PowerShell is running as an administrator before running the following command: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

If the command returns True, the update was successful. In the case of errors while applying the DB update, please refer to the article, KB5016061: Addressing vulnerable and revoked Boot Managers. Source: https://techcommunity.microsoft.com/...s/ba-p/4055324