Technical basics

Secure Boot uses certificates stored in the UEFI firmware, for example from Microsoft, to check the digital signatures of boot components at system startup. This ensures that only unmodified software signed by trusted publishers is loaded. They are necessary to prevent manipulation or the loading of unsafe software. The process is shown in simplified form in the following illustrations.

The first generation of these certificates is from 2011 and expires in 2026 after 15 years of validity: https://support.microsoft.com/de-de/topic/ablauf-des-windows-secure-boot-zertifikats-und-updates-der-zertifizierungsstelle-7ff40d33-95dc-4c3c-8725-a9b95457578e

The expiry of certificates can cause problems when starting devices if these certificates are not updated in good time. If old keys are then saved in the UEFI firmware, but the bootloader has been signed with a new certificate, Windows will no longer boot. Microsoft has been providing new certificates since 2023, which must be installed to ensure continued secure operation.

Secure Boot at Beckhoff

Secure Boot is deactivated by default in the Beckhoff delivery configuration. This means that regularly supplied devices are not affected by the imminent expiry of the Microsoft Secure Boot certificates. This only affects systems on which Secure Boot has either been activated as a special option ex factory or has been enabled manually by you. Even in these cases, a problem only occurs if:

A bootloader is used that has been signed with a new certificate (e.g. by a new Windows image or a Windows update) and
the corresponding key is not available in the UEFI firmware.

If Secure Boot is active, you should therefore update the keys in the UEFI firmware (see Updating the secure boot keys) to ensure trouble-free operation.

You can already activate Secure Boot manually. In future, activation with the updated Microsoft Secure Boot certificates from 2023 will be supported by default. Secure Boot is available ex factory with the free special option C9900-B655.