If the Secure Boot Update Needed notification below appears when starting Tails, it means that the Secure Boot certificates of this computer need to be updated.
Otherwise, Tails will no longer start on this computer after a future Tails upgrade. We cannot predict when such an upgrade will occur, because the timing depends on changes that Tails could inherit from Debian in any Tails upgrade.
After this change in Tails occurs, the computer might display a Secure Boot Violation error or another error message when trying to start Tails.
Why is this happening?
Secure Boot is a security measure that prevents starting malicious operating systems on a computer. Most computers running Windows have Secure Boot enabled. Linux distributions, including Tails, also support Secure Boot.
Since 2023, Microsoft has started replacing the Secure Boot certificates originally issued in 2011. These older certificates begin expiring in June 2026.
Tails has detected that the computer still has outdated Secure Boot certificates and needs an update.
Updating the Secure Boot certificates
To update the Secure Boot certificates of the computer, restart its regular operating system, Windows or Linux, and apply all available updates.
For Windows, select Start ▸ Settings ▸ Windows Update ▸ Check for Windows updates.
See also Microsoft: Install Windows updates.
For Linux, such updates are applied by the fwupd daemon.
Linux distributions that use the GNOME desktop automatically apply this update through GNOME Software.
Disabling Secure Boot
If the Secure Boot Update Needed notification persists when restarting Tails, it means that the Secure Boot certificates of the computer are still outdated.
Instead of updating the certificate, you can also disable Secure Boot. Even with Secure Boot disabled, the regular operating system should still start.
You can usually disable Secure Boot through the BIOS settings of the computer, but the procedure varies by manufacturer. To learn how to edit the BIOS settings, search for the user manual of the computer on the support website of the manufacturer.
In the BIOS menu, find the Secure Boot setting and disable it. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.