Campus IT Home
News detail page

News Detail

08. May 2026

Replacing Secure Boot Certificates

Created by Christian Beck

Secure Boot certificates expire at the end of June 2026, so self-managed computers (clients and servers) should be checked in advance. Mac computers do not use Secure Boot and are therefore not affected.

What are Secure Boot certificates?

Secure Boot, opens an external URL in a new window is a security feature found in modern computers. It ensures that only trusted software is allowed to run when the device is turned on — for example, the genuine Windows boot loader, rather than malware.
To make this work, the computer uses digital certificates.

Why are these certificates expiring?

Digital certificates always have a limited validity period so that they can be renewed regularly and security remains up to date. The most important Microsoft Secure Boot certificates from 2011 will expire at the end of June 2026.

How are the certificates renewed?

Ideally, these certificates are automatically renewed when the operating system is updated. This may involve updates to Linux or Windows. In some cases, however, you may need to initiate these updates manually, or, in rare instances, update the BIOS.

What happens if the update isn't installed in time?

Depending on your settings and operating system, the consequences can range from “none” to “the computer no longer starts up.” In addition, future security updates may not install at all or may be difficult to install. It is therefore strongly recommended that you install the updates before June 30, 2026.

How can I make sure my computer doesn't need any updates?

All computers maintained by CIT are automatically updated via the client management system. If any issues arise during this process, we will contact you.

For self-managed Windows computers (with administrative privileges), CIT provides the SecureBoot Certificate Check Tool via the TUtoolbox, opens an external URL in a new window. This tool allows you to easily check the status and initiate the update if necessary. The tool is provided without support from CIT.

On Linux, whether the certificates are used and whether there is a graphical interface or a command-line tool for verification depends on the distribution. Since implementation varies widely across Linux distributions, we are unfortunately unable to offer centralized support for this at this time. However, we are happy to refer you to the OpenTUChat on Matrix, opens an external URL in a new window, where experience has shown that support is available.

Please note the following before performing a manual update

Before performing a manual update, check to see if there are any known issues with your hardware. Also, make sure you have your BitLocker recovery key, opens an external URL in a new window on hand.

Further information

For more information, visit the CIT Downloads and Help, opens an external URL in a new window page.

The following links lead to external websites. Please use the information at your own risk.

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your settings for the use of cookies on this website.	1 year	HTML	Homepage TU Wien
SimpleSAML	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
SimpleSAMLAuthToken	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
fe_typo_user	Is needed so that in case of a Typo3 frontend login the session ID is recognized to grant access to protected areas.	session	HTTP	Homepage TU Wien
staticfilecache	Is needed to optimize the delivery time of the website.	session	HTTP	Homepage TU Wien
JESSIONSID	Is needed so that in case of a LectureTube the session ID is recognized to grant access to protected areas.	session	HTTP	LectureTube TU Wien
_shibsession_lecturetube	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	LectureTube TU Wien

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo TU Wien
_pk_ref	Is used to store the information of the users home website.	6 months	HTML	Matomo TU Wien
_pk_ses	Is needed to store temporary data of the visit.	30 minutes	HTML	Matomo TU Wien

Name	Purpose	Lifetime	Type	Provider
facebook	Is used to Enable ad delivery or retargeting	90 days	HTTP	Meta
__fb_chat_plugin	Is needed to store and track interactions (marketing/tracking).	persistent	HTTP	Meta
_js_datr	Is needed to save user settings.	2 years	HTTP	Meta
_fbc	Is needed to save the last visit (marketing/tracking).	2 years	HTTP	Meta
fbm	Is needed to store account data (marketing/tracking).	1 year	HTTP	Meta
xs	Is needed to store a unique session ID (marketing/tracking).	1 year	HTTP	Meta
wd	Is needed to log the screen resolution.	1 week	HTTP	Meta
fr	Is needed to serve ads and measure and improve their relevance.	3 months	HTTP	Meta
act	Is needed to store logged in users (marketing/tracking).	90 days	HTTP	Meta
_fbp	Is needed to store and track visits to various websites (marketing/tracking).	3 months	HTTP	Meta
datr	Is needed to identify the browser for security and website integrity purposes, including account recovery and identification of potentially compromised accounts.	2 years	HTTP	Meta
dpr	Is used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	1 week	HTTP	Meta
sb	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
dbln	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
spin	Is needed for promotional purposes and social campaign reporting.	session	HTTP	Meta
presence	Contains the "chat" status of logged in users.	1 month	HTTP	Meta
cppo	Is needed for statistical purposes.	90 days	HTTP	Meta
locale	Is needed to save the language settings.	session	HTTP	Meta
pl	Required for Facebook Pixel.	2 years	HTTP	Meta
lu	Required for Facebook Pixel.	2 years	HTTP	Meta
c_user	Required for Facebook Pixel.	3 months	HTTP	Meta
bcookie	Is needed to store browser data (marketing/tracking).	2 years	HTTP	LinkedIn
li_oatml	Is needed to identify LinkedIn members outside of LinkedIn for advertising and analytics purposes.	1 month	HTTP	LinkedIn
BizographicsOptOut	Is needed to save privacy settings.	10 years	HTTP	LinkedIn
li_sugr	Is needed to store browser data (marketing/tracking).	3 months	HTTP	LinkedIn
UserMatchHistory	Is needed to provide advertising or retargeting (marketing/tracking).	30 days	HTTP	LinkedIn
linkedin_oauth_	Is needed to provide cross-page functionality.	session	HTTP	LinkedIn
lidc	Is needed to store performed actions on the website (marketing/tracking).	1 day	HTTP	LinkedIn
bscookie	Is needed to store performed actions on the website (marketing/tracking).	2 years	HTTP	LinkedIn
X-LI-IDC	Is needed to provide cross-page functionality (marketing/tracking).	session	HTTP	LinkedIn
AnalyticsSyncHistory	Stores the time when the user was synchronized with the "lms_analytics" cookie.	30 days	HTTP	LinkedIn
lms_ads	Is needed to identify LinkedIn members outside of LinkedIn.	30 days	HTTP	LinkedIn
lms_analytics	Is needed to identify LinkedIn members for analytics purposes.	30 days	HTTP	LinkedIn
li_fat_id	Required for indirect member identification used for conversion tracking, retargeting and analytics.	30 days	HTTP	LinkedIn
U	Is needed to identify the browser.	3 months	HTTP	LinkedIn
_guid	Is needed to identify a LinkedIn member for advertising via Google Ads.	90 days	HTTP	LinkedIn