Secure Boot is a security feature that Prevents malicious software from running during system startupensuring that only trusted bootloaders can be loaded on computers with UEFI firmware. This is achieved by comparing the software’s digital signature with a set of trusted digital certificates stored in the device’s firmware.
Microsoft this week began automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 operating systems and has alerted IT administrators of the changes. The announcement comes after Microsoft warned IT administrators in November to update security certificates used to validate UEFI firmware before they expire.
“The secure boot certificates used by most Windows devices will expire starting in June 2026. This could impact the ability of certain personal and business devices to boot securely if they are not updated in time”explains Microsoft.
Starting with this update, Windows quality updates include a subset of highly reliable device data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient signs of a successful update, ensuring a safe and gradual rollout.
Maintain Secure Boot functionality
IT administrators who want to maintain Secure Boot functionality and ensure the security of their endpoints must install the new certificates before the old ones expire this summer. If they don’t, you could lose Windows Boot Manager and Secure Boot protections, as security updates for pre-boot components will no longer be provided to Secure Boot-enabled devices.
“Without updates, Secure Boot-enabled Windows devices risk not receiving security updates or relying on new boot loaders, which will compromise both serviceability and security.”Microsoft explained.
While Microsoft will automatically update highly trusted devices through Windows Update, Organizations can also implement secure boot certificates using registry keys, Windows Configuration System (WinCS), and group policy settings.
According to the Microsoft Secure Boot manualadministrators should first inventory their device fleets, check the Secure Boot status using PowerShell commands or registry keys, and then apply firmware updates from the manufacturer before installing Microsoft certificate updates.
