Windows Server requires manual intervention
Windows Server follows a completely different update process. While upgrades for Windows desktop PCs are largely automatic, Windows Server requires manual intervention. IT administrators must validate and manually roll out certificate updates across the entire server infrastructure.
Microsoft’s documentation for Windows Server administrators runs into dozens of pages. It includes PowerShell commands, registry key checks, firmware validation, pilot deployments, and careful monitoring – especially in organizations with thousands of servers.
Some devices have fundamental limitations in their hardware or firmware that prevent them from receiving the automated certificate updates. These are not theoretical cases. Microsoft’s own documentation confirms this.
Inventory required
Administrators must first record which Windows server systems are using Secure Boot and verify that the new certificates already exist. Some of the newest servers already contain updated certificates, but only very recent versions. Microsoft recommends fully patching the servers and then applying the certificate update path to all affected devices that still rely on the older 2011 chain.
For managed environments, Microsoft recommends validating physical servers, cluster nodes, and server virtual machines separately because images and firmware update behavior may vary by platform.
The problem is more serious for computers that are no longer serviced or updated, or whose manufacturer is no longer in business. The only possible solution is to replace the hardware.
