Microsoft Replaces Expiring Secure Boot Certificates in Windows 11 Updates
Microsoft has begun automatically updating expiring Secure Boot certificates on Windows 11 systems. Learn why the update matters, risks of inaction, and what IT admins should do before 2026.
Up to now, Microsoft has automatically started to replace the expiring Secure Boot certificates on supported Windows 11 systems, starting with version 24H2 and upcoming 25H2 releases. The step is a part of a larger initiative to keep the platform secure as the critical certificates used by Secure Boot are going to be expired in June 2026, the earliest.
Secure Boot is the main security feature that serves to protect the computer from unauthorized access during the boot process. It does not let any malware, like bootkits or rootkits, to get loaded prior to OS by enabling only those boot components that are signed and trusted to run. The digital signatures are confirmed by the certification authority which is the UEFI firmware of the device, thus the validity of the certificate is crucial for the system's integrity.
Why Secure Boot Certificate Updates Matter
In November, Microsoft had already signaled the end of the road for UEFI firmware and bootloaders’ validation certificates, a warning directed towards IT administrators. Addressing the situation was critical as the expiration might lead to Windows devices not being able to boot securely or receive important security updates.
"Most of the Windows devices will have their Secure Boot certificates expiring from June 2026 onwards. This will have an impact on the secure boot of the particular personal and business devices that will not be updated soon." said Microsoft.
Microsoft has already taking steps to mitigate the situation by adding updated Secure Boot certificates to the Windows quality updates. Nevertheless, they are being very careful with the rollout in order not to cause any disruptions.
Phased and Targeted Deployment
Microsoft has started to employ high-confidence device targeting data in order to recognize the potential systems for automatic Secure Boot certificate updates, and this process is done with the recent Windows updates as a starting point. Initially, only the devices that consistently show and carry out the updates successfully will be getting the new certificates.
As per Microsoft, the process of rolling out updates in phases is like a safeguard that keeps stability intact while minimizing the chance of experiencing boot failures along the way. The updated certificates will be issued to the gadgets only after a certain number of reliability signals have been met, thus enabling Microsoft to gradually and securely increase the rollout in the future.
Risks of Not Updating Secure Boot Certificates
In case the organizations neglect to renew the Secure Boot certificates prior to their expiry, they might suffer dire consequences. Amongst the consequences one can name:
- Secure Boot controls might get disabled altogether
- Windows Boot Manager updates might not be sent anymore
- Pre-boot security parts will no longer be updated
- Devices may be unable to accept new boot loaders based on trust
According to Microsoft, if the updates are not timely secured, devices with Secure Boot will be at great risk of losing both service and security. This might lead to the systems being vulnerable to boot-level malware attacks and at the same time, future security measures being applied would be impossible.
What IT Administrators Should Do
Microsoft does plan to refresh Secure Boot certificates on trusted devices via Windows Update but the organizations should not consider such delivery as the only option in the case of enterprise environments.
IT administrators should take the initiative and do the following:
- List all devices and check secure boot systems
- Check boot security status with Powershell commands or using registry keys
- Update OEM firmware to make sure it works well with the new changes
- Install the new Microsoft certificates and remove the old ones
Organizations that are more comfortable with manual control can still go for registry keys, WinCS, or Group Policy settings.
Microsoft’s Secure Boot playbook offers detailed assistance for the IT support staff to verify device preparedness and carry out certificate updates securely in their local networks.
Final Thoughts
The proactive bug-fixing of the expiring Secure Boot certificates by Microsoft shows the necessity of preserving trust at the firmware and boot level. The auto-updates will be applicable to a significant number of consumer and enterprise systems, but the IT departments need to act promptly to eliminate the risk of being caught unprepared when the 2026 expiration date comes close.
Updating the Secure Boot certificates is more than complying with the regulations, it is a very important move to safeguard Windows devices against the most sophisticated and harmful types of malware.
