GEEK FREE
By Joe Callison
4 June, 2026
Check Your Windows Secure Boot and Device Encryption Status!
Secure Boot:
Secure Boot is a UEFI firmware (modern version of BIOS) that was introduced with Windows 8 in 2012. It requires Secure Boot Certificates for any software that loads during the boot process, before the Windows operating system and other software are loaded. Some third-party drivers and antimalware processes may load during the boot process and would require these certificates. The certificate validation data is stored in the firmware and was published in 2011. The certificates begin expiring in June 2026, and new data needs to be updated for certificates published in 2023. This update process is being done beginning with the April 2026 Windows updates. Some computers are having issues with the updates, notably Lenovo Yoga and, more recently, many of the HP models. In trying to perform the necessary UEFI changes, the computers may boot up with a message to enter the BitLocker Recovery Key. Even after entering the valid key stored in the user’s Microsoft account, the computer may be stuck in a boot loop with the same message. The problem seems to be a difficulty in completing the UEFI firmware changes necessary for the new certificates. Other means of updating the firmware might be needed unless there is a Windows update fix for the affected models.
If your computer has not been affected, you can verify that the updated Secure Boot Certificates have been received by going to Settings, Privacy & Security, Windows Security, Device Security, and reading the Secure Boot description. It should indicate that the certificate updates have been completed and no further changes are needed.
If Secure Boot is not listed in Device Security, the feature may have been turned off in the firmware. Normally, it is on by default.
Device Encryption:
Device Encryption is provided for Windows Home users, similar to BitLocker Device Encryption for Windows Professional users, but limited to turning on or off for management, and only applicable for internal storage drives. It requires being signed into a Microsoft account, not a local account, and both the TPM Security and Secure Boot features must be turned on in the UEFI firmware. If the requirements were met when Windows was first set up, Device Encryption would have been turned on by default, and a BitLocker recovery key would have been stored in the online Microsoft Account. The internal drives would then be encrypted unless the toggle is later turned off in the Windows settings. Turning off encryption would begin the process of decrypting the drives, which could take considerable time to complete. If turned on again, the encryption process would begin, and a new BitLocker recovery key would be stored in the Microsoft Account. It is highly recommended to keep a copy of the current key stored in a safe place, as well as the Microsoft Account user name (typically an email address) and password.
For normal home use, unless you travel with your laptop or have very sensitive information stored on it, I would discourage encrypting your internal drives. I would instead keep sensitive information on an encrypted external drive.
Like Secure Boot, Device Encryption can be found on the Device Security settings page. A text link to manage the device encryption will open another settings page with a toggle to turn it on or off.
