Technology
Old Microsoft shims still enable simple Secure Boot bypasses
Microsoft’s original Windows Secure Boot certificates issued in 2011 began expiring in June, and that transition is colliding with old signed shims that still make some Secure Boot bypasses straightforward. Microsoft says devices that miss the new 2023 certificates will keep booting normally, but they may lose future boot-level security updates and revocation capability because DBX updates and related trust-chain changes depend on the newer certificates.
Secure Boot was introduced in Windows 8 to verify the digital signatures of firmware modules, boot loaders and applications before the operating system starts, a defense meant to stop bootkits and rootkits that sit below the OS and are harder to detect or remove. The oversight problem is built into the trust model itself: unless Microsoft revokes a signed loader, it can remain trusted for years, and attackers can reuse that trust to slip past Secure Boot on some systems.

Microsoft says fixing some Secure Boot bypasses, including the CVE-2023-24932 revocation path, requires revoking boot managers. That is not a clean flip of a switch. Microsoft warns the mitigation can create compatibility problems for some boot configurations, which is why the rollout has to be cautious even when the security case is clear.

The certificate transition is already showing up in operator guidance. Google Cloud tells Shielded VM users to update Microsoft Secure Boot certificates and, in some cases, to update the KEK and db variables so instances keep trusting the newer 2023 chain. That matters for cloud fleets that depend on measured boot and integrity monitoring, but the same logic reaches on-premises enterprise Windows systems and consumer PCs that still rely on third-party bootloaders.

Among the certificates aging out are the Microsoft Corporation UEFI CA 2011, which expires on June 27, 2026, the Microsoft Corporation KEK CA 2011, which expires on June 24, 2026, and the Microsoft Windows Production PCA 2011, which expires on October 19, 2026. The old Microsoft UEFI CA 2011 also signed third-party bootloaders such as shim, which is why forgotten shims can keep opening doors long after their underlying flaws were known. Government fleets, enterprise deployments and everyday PCs are exposed in different ways, but the risk is the same: a machine can continue to start normally while its boot chain quietly becomes less able to block the next bypass.