>The configuration of Secure Boot DB and KEK for Windows devices has remained the same since Windows 8. Microsoft requires every OEM to include the same three certificates managed by Microsoft for Windows and in support of the third-party hardware and OS ecosystem.
>All three of these Microsoft certificates expire in 2026.
Ruh-roh.
So they're beginning to roll out the updates shortly way before the 2026 deadline, seems like the extreme uncertainty we must realistically have right now for the year 2026 will never be reduced regardless of how much closer the future comes into view. Doesn't make much difference then, when you throw caution to the wind, no time like the present.
>this will be the first DB update performed on such a large scale.
>With this DB update, Microsoft will sustain its ability to service all Windows devices’ boot components.
>collaborating with our OEM partners to identify and address bugs in firmware implementation
>Guidance to manually apply DB update . . . >These actions should be completed with non-critical hardware representing devices in your environment.
A shitshow that keeps on giving, smelling worse every year.
Ballmerization (the pre-existing analog to enshittification) unearths its ugly head like an army of zombies you can't get rid of.
By now maybe the "updated" approach is to never attribute to stupidity that which is descended from malevolence.
They wouldn't have called Microsoft SecureBoot a trustworthy improvement if it wasn't false.
IOW you need to make sure NOT TO PURCHASE any PC hardware which does not continue to retain the ability to disable Microsoft SecureBoot at the discretion of the owner.
Also stay away from anything that does not retain the ability to use traditional BIOS mode when you want to administer your hardware that way (IOW you need a CSM support feature in firmware, do not accept deprecation). After all these years UEFI is obviously far from perfect in more costly ways than the BIOS system it replaced. Using Legacy BIOS mode with a CSM is the only way to insure the continued use of your investment in hardware in the face of cascading obstacles, to also allow for unforeseeably modern alternative operating systems that today's powerful hardware could actually accommodate electronically, much more advanced than could be imagined today. And that's not to mention an apparent 10-year cliff where there's been extreme condescension for owners who want to get the most out of their investment over the long run, especially beyond a decade.
So no matter whether mandatory "secure" features leak, or were set to expire destructively early, as predicted it was always a booby-trap poised to compromise bootability of perfectly malware-free PC's in unexpected ways for millions of users. Not just Linux machines but looks like plenty of Windows users can end up as collateral damage too.
Of course it was worse than imagined at the time.
So careful what you purchase, otherwise you will be contributing to the extreme anti-reuse/anti-recycling strategy of the anti-environment Ballmer era.
After all, you can't fix stupid, you can only "upgrade" it. One of the clearest paths to "more stupid" is to pile it on.
>The configuration of Secure Boot DB and KEK for Windows devices has remained the same since Windows 8. Microsoft requires every OEM to include the same three certificates managed by Microsoft for Windows and in support of the third-party hardware and OS ecosystem.
>All three of these Microsoft certificates expire in 2026.
Ruh-roh.
So they're beginning to roll out the updates shortly way before the 2026 deadline, seems like the extreme uncertainty we must realistically have right now for the year 2026 will never be reduced regardless of how much closer the future comes into view. Doesn't make much difference then, when you throw caution to the wind, no time like the present.
>this will be the first DB update performed on such a large scale.
>With this DB update, Microsoft will sustain its ability to service all Windows devices’ boot components.
>collaborating with our OEM partners to identify and address bugs in firmware implementation
>Guidance to manually apply DB update . . . >These actions should be completed with non-critical hardware representing devices in your environment.
A shitshow that keeps on giving, smelling worse every year.
Ballmerization (the pre-existing analog to enshittification) unearths its ugly head like an army of zombies you can't get rid of.
By now maybe the "updated" approach is to never attribute to stupidity that which is descended from malevolence.
They wouldn't have called Microsoft SecureBoot a trustworthy improvement if it wasn't false.
IOW you need to make sure NOT TO PURCHASE any PC hardware which does not continue to retain the ability to disable Microsoft SecureBoot at the discretion of the owner.
Also stay away from anything that does not retain the ability to use traditional BIOS mode when you want to administer your hardware that way (IOW you need a CSM support feature in firmware, do not accept deprecation). After all these years UEFI is obviously far from perfect in more costly ways than the BIOS system it replaced. Using Legacy BIOS mode with a CSM is the only way to insure the continued use of your investment in hardware in the face of cascading obstacles, to also allow for unforeseeably modern alternative operating systems that today's powerful hardware could actually accommodate electronically, much more advanced than could be imagined today. And that's not to mention an apparent 10-year cliff where there's been extreme condescension for owners who want to get the most out of their investment over the long run, especially beyond a decade.
So no matter whether mandatory "secure" features leak, or were set to expire destructively early, as predicted it was always a booby-trap poised to compromise bootability of perfectly malware-free PC's in unexpected ways for millions of users. Not just Linux machines but looks like plenty of Windows users can end up as collateral damage too.
Of course it was worse than imagined at the time.
So careful what you purchase, otherwise you will be contributing to the extreme anti-reuse/anti-recycling strategy of the anti-environment Ballmer era.
After all, you can't fix stupid, you can only "upgrade" it. One of the clearest paths to "more stupid" is to pile it on.