Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows security update. Show all posts
Windows security update
Microsoft Secure Boot Secure Boot certificates expiry Technology Windows 10 ESU Windows security update

Microsoft Introduces Secure Boot Status Dashboard Ahead of Certificate Expiry

 

Microsoft is preparing for the upcoming expiration of its original 2011 Secure Boot certificates, set for June 2026, by introducing a new Secure Boot status dashboard within Windows. This feature is designed to help users verify whether their systems remain protected during startup.

Beginning this month, the dashboard will be integrated into the Windows Security app. Users will find a Secure Boot status indicator under the Device security section, specifically within Secure Boot settings.

"The Windows Security app now shows whether your device has received these updates, what your current status is, and whether any action is needed," Microsoft says on a new support page.

The indicator will display three possible statuses. A green badge confirms that the system has received the necessary updates. A yellow badge signals a recommendation from Microsoft, often suggesting a firmware update to install the latest certificates. A red badge indicates that the device is unable to receive the updated Secure Boot certificates.

“This state appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates. This could occur as early as June 2026, when some of the current Secure Boot certificates begin to expire,” the company says.

In addition to the visual indicators, Microsoft will provide detailed guidance within the dashboard, advising users on steps to resolve issues. These may include updating the Windows operating system or contacting the device manufacturer.

Secure Boot plays a critical role in ensuring that only trusted software runs during the startup process, protecting systems from persistent malware that can survive OS reinstalls. However, many devices are still running Windows 10, which reached end of support in October and no longer receives standard security updates.

Earlier this year, Microsoft cautioned that such unsupported Windows 10 systems would not receive the new Secure Boot certificates. The only exception applies to devices enrolled in the Windows 10 Extended Security Updates (ESU) program, which offers limited continued protection.

Microsoft confirmed that the new Secure Boot status indicator will be available only on Windows 10 ESU systems and Windows 11 devices. Systems running unsupported versions of Windows 10 should assume their certificates will begin expiring from June onward.

For eligible systems, the updated certificates are expected to be delivered automatically through routine monthly updates. However, some devices may still require a separate firmware update from the PC or motherboard manufacturer before the certificates can be applied—hence the yellow and red warnings.

Even if a system does not receive the updated certificates, it will continue to function. However, Microsoft cautions: “The device will enter a degraded security state that limits its ability to receive future boot-level protections,” leaving it vulnerable to potential “boot-level vulnerabilities” that attackers could exploit.

Users facing a red status will also have the option to proceed without taking action by selecting “I accept the risks, don’t remind me.”

Microsoft plans to expand alerts related to Secure Boot beyond the Windows Security app. “Beginning in May 2026, additional improvements will become available, including notifications outside the app (such as system alerts) and additional in-app guidance and controls to help you respond to Secure Boot warnings.”
Read more »
Windows security update
Kerberos authentication Microsoft NTLM deprecation NTLM authentication NTLM phase-out Technology Windows security update

Microsoft Outlines Three-Stage Plan to Disable NTLM and Strengthen Windows Security

 

Microsoft has detailed a structured, three-phase roadmap to gradually retire New Technology LAN Manager (NTLM), reinforcing its broader push toward more secure, Kerberos-based authentication within Windows environments.

The announcement follows Microsoft’s earlier decision to deprecate NTLM, a legacy authentication mechanism that has long been criticized for its security shortcomings. Officially deprecated in June 2024, NTLM no longer receives updates, as its design leaves systems vulnerable to relay attacks and unauthorized access.

"NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users," Mariam Gewida, Technical Program Manager II at Microsoft, explained. "However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography."

Despite its deprecated status, Microsoft acknowledged that NTLM remains widely used across enterprise networks. This is largely due to legacy applications, infrastructure constraints, and deeply embedded authentication logic that make migration difficult. Continued reliance on NTLM increases exposure to threats such as replay, relay, and pass-the-hash attacks.

To address these risks without disrupting critical systems, Microsoft has introduced a phased strategy aimed at eventually disabling NTLM by default.

Phase 1 focuses on improving visibility and administrative control by expanding NTLM auditing capabilities. This helps organizations identify where NTLM is still in use and why. This phase is already available.

Phase 2 aims to reduce migration barriers by introducing tools such as IAKerb and a local Key Distribution Center (KDC), while also updating core Windows components to favor Kerberos authentication. These changes are expected to roll out in the second half of 2026.

Phase 3 will see NTLM disabled by default in the next release of Windows Server and corresponding Windows client versions. Organizations will need to explicitly re-enable NTLM using new policy controls if required.

Microsoft described the move as a key milestone toward a passwordless and phishing-resistant ecosystem. The company urged organizations that still depend on NTLM to audit usage, identify dependencies, transition to Kerberos, test NTLM-disabled configurations in non-production environments, and enable Kerberos enhancements.

"Disabling NTLM by default does not mean completely removing NTLM from Windows yet," Gewida said. "Instead, it means that Windows will be delivered in a secure-by-default state where network NTLM authentication is blocked and no longer used automatically."

"The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."


Read more »
Subscribe to: Posts (Atom)