Eclipse Community

Seeing that some of us are still running old PCs, there is a problem which may affect some of them: the expiration of secure boot certificates in June 2026.

Microsoft information:
https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818

Some certificates available here:
https://learn.microsoft.com/en-au/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx

But a BIOS update might be required. Good luck with that for old PCs

DELL information:
https://www.dell.com/support/kbdoc/en-US/000347876/microsoft-2011-secure-boot-certificate-expiration

HP information:
https://support.hp.com/us-en/document/ish_13070353-13070429-16

The expiration of these certificates will not invalidate existing files signed by them. It will just prevent new files being signed by them (so new Windows versions will not run). Also, all spec-compliant systems will have some method of adding a custom certificate (either via the firmware config, via Microsoft's certificate update, or via Shim and Machine Owner Key). Plus, most systems allow you to disable Secure Boot, which fixes this whole situation.

I have a hunch that Secure Boot and TPM technologies will not be able to be disabled in the near future.
My newest laptop (now 1.5yrs old) wouldn't even allow Win *TEN* to be installed *IF* the TPM drivers were contained within the installation media.
It's a Ryzen 5 with a copilot button on the keyboard.
I never bothered to even test copilot and the default Win11 that came with the laptop.
All new equipment gets an immediate reformat/reinstall before it even gets connected to the network.