Most business owners have never thought about how their computer starts up. They press the power button, Windows appears, and the day begins. But underneath that quiet sequence is a security system that has been protecting every Windows and Linux machine for the past fifteen years – and right now, it is getting its first major refresh since 2011.
Here is what is happening, and what it means for your business. The Secure Boot certificate update started rolling out on June 24, and a lot of small businesses are going to miss it without realizing.
What Secure Boot Does For You
Think of Secure Boot as a security guard who checks IDs before anyone is allowed into the building. Every time your computer starts up, Secure Boot looks at each piece of software trying to load and asks: are you supposed to be here? If something does not have proper ID, Secure Boot refuses to let it in.
This is how your computer protects itself from bootkits – a particularly nasty type of malware that loads before Windows even starts. Bootkits hide where antivirus software cannot see them, and they survive a full Windows reinstall. The most well-known example is LoJax, a bootkit linked to the Russian state-sponsored hackers behind APT28, discovered in 2018.
Why the Update Is Happening Now
Two reasons. The certificates Secure Boot uses are dated 2011 – they were always going to expire eventually. But in 2023, researchers found a flaw called LogoFail that let attackers slip past Secure Boot on nearly every Windows and Linux machine in the world. The new 2023 certificates give Microsoft the foundation it needs to revoke compromised software and keep your computer protected from the next bootkit that comes along. Microsoft has published a full playbook walking IT teams through the transition.
Computers that finish the update keep getting protections. Computers that miss it will still turn on and work fine – but they lose the ability to defend against future bootkit threats.
How to Check Your Computer in 10 Seconds
On a Windows machine, here is what to do:
- Click Start and search for Windows Security
- Open it and click Device Security
- Look at the Secure Boot section. A green checkmark means you are good. Anything else means the update has not run yet.
If your computers are kept current with Windows Updates, the new certificates are probably already installed. Older machines, or ones that have skipped updates for a while, may have missed it.
Leave a Reply