The original Secure Boot certificate expires in June 2026! Richard talks to Richard Hicks about how Secure Boot works and how the expiration of the master certificate can leave PCs vulnerable to boot-related malware, such as rootkits. Richard discusses recent Microsoft communications on SecureBoot and how to check which certificate your machines have. Workstations using managed updates are likely already up to date, but servers are a different issue. When the certificate expires, you'll no longer receive updates to Secure Boot for known exploits, leaving your machines vulnerable. Update today!

Links

• Secure Boot Certificates Expiring
• Sony Rootkit Scandal
• Secure Boot Playbook for Windows Client
• Windows Update Management
• Registry Key Updates for Secure Boot
• Richard's Blog Post on Secure Boot EUFI Certificates Expiring
• Get-UEFICertificate in PowerShell Gallery

Recorded March 9, 2026

An MSIX package identity is composed of a five-part tuple that uniquely identifies a package. It consists of the following attributes:

• Name
• Version
• Architecture
• Resource Id
• Publisher

Together, these fields form the canonical identity of a package. Programmatically, this identity can be represented using APIs such as Windows.ApplicationModel.PackageId or the PACKAGE_ID structure.

Why Package Full Name?

Working directly with the individual identity fields is often inconvenient. To simplify common scenarios, Windows defines an opaque string representation that encapsulates the entire five-part identity: the Package Full Name.

This canonical form provides a convenient way to serialize and pass package identity across system boundaries – such as APIs, file systems, access control lists (ACLs), policy configurations, and other components – without requiring callers to parse or manipulate individual fields.

Why PublisherId?

The Publisher field is an X.509 subject distinguished name. While precise, it can be quite large (up to 8 KB) and may contain characters (such as spaces, backslashes, and ampersands) that are cumbersome in paths, identifiers, or protocol payloads.

To address this, Windows derives a compact shorthand known as the PublisherId.

A PublisherId:

• Is computed as a hash of the Publisher string
• Is always 13 characters in length
• Is encoded using the Crockford variant of Base32

The result is a short, fixed-width, ASCII alphanumeric identifier suitable for use in contexts where the full X.509 subject name would be impractical.

Why Package Family Name?

In some scenarios, the full package identity is overly specific.

For example, if application configuration were tracked per-package, updating a package from version 1.0.0.0 to 1.0.0.1 would produce a new identity – and therefore a completely separate configuration state.

In such cases, a version-independent¹ identifier is preferable.

The Package Family Name provides this abstraction by identifying a package in a manner that is independent of:

• Version
• Architecture
• ResourceId

Common uses include tracking security assignments and persistent configuration at the Package Family level rather than per individual package instance.

¹ More precisely: independent of version, architecture, and resource id.

The post Package Identity appeared first on Inside MSIX.

Whew. The workday isn’t done yet, but I’m getting a quick breather from Google I/O going on this week. The keynotes were terrific, and I just finished a breakout with two superstar presenters. Below you’ll find a few I/O items I read, and then non-Google stuff.

[blog] I/O 2026: Welcome to the agentic Gemini era. Huge momentum, and a fantastic array of announcements and releases. Here are some key highlights.

[blog] Gemini 3.5: frontier intelligence with action. This latest family of models is here, starting with Gemini 3.5 Flash, available today.

[blog] Introducing Gemini Omni. This was the most impressive thing I saw today. Truly transformational technology.

[blog] Building the agentic future: Developer highlights from I/O 2026. We shipped a huge refresh to Antigravity, our agent-first way of building. Also check this out for a new Managed Agents service, and improvements to Google AI Studio.

[article] Agent Skills Work but the Research Shows Most Teams Are Building Them Wrong. Some very actionable advice here on what to put in a skill, how to structure them, and how to think about their lifecycle.

[blog] Everything Google Cloud customers need to know coming out of Google I/O. Sometimes, it seems we ship consumer-focused features that our enterprise customers can’t take advantage of. Many of today’s releases were for everyone.

[article] We Went Multi-Cloud and Almost Drowned: Lessons From Running Across AWS, GCP, and Azure. Nothing makes multi-cloud infrastructure “easy.” At best, a product can make it “easier.” This shows where some of the pain lives.

[blog] Deploying to Agent Platform with ADK. Simple example, but also simple to follow if you want to see the way to deploy and test and agent.

[article] Why Is It So Hard to Write a Good Design Doc? (Part 1). Can the AI read the code, and with good prompting, generate a human-approved design doc? Seems like you get some shallow results without the right human guidance.

[blog] The just-say-no engineer was a ZIRP phenomenon. Bargaining power doesn’t exist for most roles today, including engineers. Scope is different, as are expectations. AI is part of it, but not the cause according to Sean.

Want to get this update sent to you every day? Subscribe to my RSS feed or subscribe via email below: