RSS

FAQ: The Secure Boot Disaster

fh9731 pts0 comments

FAQ: The secure boot disaster | heise online

heise+ entdecken

SuchenAbo

Suchen

Alle Magazine im Browser lesen<br>AnzeigeSpecial: Collaboration im KI-Zeitalter

Newsletter<br>heise-Bot<br>Push-Nachrichten

${lead}

${lead}

${content}

${content}

${content}

${content}

Anzeige<br>Special: Collaboration im KI-Zeitalter

Advertisement

Advertisement

c't has reported several times on the current security problems surrounding UEFI Secure Boot. Microsoft's multiple changes to the plan have led to many questions. Here we answer some of the most frequently asked questions - but limit ourselves to those where we assume that the answers are still correct even if Microsoft changes its plans once again.

Continue after ad

What it's all about

Secure Boot? UEFI? Certificates? Security problems? Huh?

It's about fending off malware, or more precisely "bootkits", which are a particularly nasty malware variant. This is because they nest in the bootloader and start before the actual operating system. This protects them particularly effectively against detection. "UEFI Secure Boot" serves as a countermeasure. The prerequisite is that the PC boots via UEFI. If it uses the boot mechanisms of a classic legacy BIOS instead, there is no secure boot. This also applies if the PC has a UEFI BIOS but emulates booting via legacy BIOS using the "Compatibility Support Module" (CSM).

If Secure Boot is active, after the PC is switched on, the BIOS only transfers control to boot loaders that are signed with a certificate stored in the BIOS flash memory. In most cases, the certificate comes from Microsoft. This also applies to Linux (Microsoft also signs Linux loaders).

The problem is that there are security gaps in the boot loaders that allow malware such as "BlackLotus" to be installed. This means that Secure Boot is currently undermined: even if a boot loader is signed with a valid certificate, this no longer means that it is trustworthy. So Microsoft had to take countermeasures, and that is what we are talking about here.

The current plan

Continue after ad

I can't get my head around all the countermeasures Microsoft is announcing in response to the secure boot vulnerabilities. Can you summarize it briefly?

I'd be happy to, but just a warning up front: this is Microsoft's current plan, but not the first. So the company's statements are not entirely reliable. Microsoft is currently planning to revoke the certificate that was previously used to sign all Secure Boot-capable Windows boot loaders. As a result, a UEFI BIOS no longer trusts a single Windows boot loader when Secure Boot is active. So firstly, you need new boot loaders. Secondly, they must be signed with a new certificate, and thirdly, this must be stored in the BIOS flash memory.

Once again, only the Windows boot loaders published by Microsoft itself are affected by this plan. Microsoft has not yet said what will happen to all others.

Problems pre-programmed

What you write sounds as if Microsoft's plans could well give cause for panic. Do I understand that correctly?

Apart from the fact that panic does not solve IT problems: Microsoft wants to deliver both the new boot loader and the new certificate automatically via Windows updates. Microsoft already admits in its knowledge base article KB5025885 that there will be problems with this (see ct.de/ys9k). In addition, Windows' own update function has repeatedly proved to be a source of problems rather than solutions in recent years. It was only in January that an update went wrong on so many computers that Microsoft had to put up with the question of whether updates are still tested in Redmond at all.

I don't have Secure Boot

Secure Boot is not active on my PC, so I don't need new boot loaders or new certificates, do I?

In itself, yes. Nevertheless, Microsoft will install the new features via an update. Background: Microsoft's certificates used for Secure Boot have an additional problem: they expire in 2026. Microsoft will then no longer be able to use them to sign new boot loaders. So the company is simply installing new certificates everywhere in the BIOS and installing new boot loaders. Ideally, however, you will not notice this on your PC.

Check certificates in the BIOS

How can I find out which certificates are stored in my computer's BIOS under Windows?

There is no on-board tool that can do this easily, but there are PowerShell cmdlets for post-installation. They are called "UEFIv2" and come from (now ex-)Microsoft employee Michael Niehaus. He has published them online in the PowerShell Gallery. To reinstall, open a PowerShell running with administrator rights and type in the following three commands:

Install-Module -Name UEFIv2<br>Set-ExecutionPolicy -ExecutionPolicy RemoteSigned<br>Import-Module UEFIv2

The second command triggers a warning, which you must confirm. The command is required in the standard configuration (it allows the cmdlet to be executed), but if you have already entered it before, you can save...

boot microsoft secure bios loaders problems

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.