Microsoft has introduced a new feature within the Microsoft Defender dashboard aimed at assisting enterprise IT managers in identifying devices still reliant on the 2011 Secure Boot certificates. This timely addition provides security teams with a centralized view of potential risks across their device fleet, particularly as the expiration date for these certificates approaches in June of this year.
Microsoft Defender and June expiration
“Time is running out: The Secure Boot certificates from 2011 expire in June of this year,” a reminder that underscores the urgency of the situation. The newly implemented recommendation view categorizes devices into three distinct groups:
- Exposed Devices: These devices continue to trust the outdated Secure Boot certificates while failing to recognize the newer ones.
- Compliant Devices: These have successfully transitioned to the new 2023 certificates and possess a signed boot manager.
- Not Applicable Devices: This category includes devices that either have Secure Boot disabled or lack support for it altogether.
Fleet checks in Defender
According to Microsoft, the dashboard equips administrators with a comprehensive overview of the security status of their managed devices from a single interface. It also illustrates the distribution of the 2023 Secure Boot certificates throughout the device fleet, offering a more efficient alternative to the traditional method of checking each machine individually through the Windows Security app, which only reveals certificate status for single computers. Furthermore, the dashboard allows administrators to filter the recommendation view based on operating system platforms and device contexts.
Windows servers and manual action
While devices that do not obtain the new certificates will still boot, they will be unable to enforce the latest protection measures during the system’s early boot phase. Additionally, relying on outdated certificates may expose devices to emerging threats before the operating system and full security controls are activated. A notable challenge arises from the fact that Microsoft does not automatically distribute the new Secure Boot certificates through routine Windows updates on Windows servers. Consequently, server administrators cannot simply wait for a scheduled update cycle to address this issue, especially given Microsoft’s prior warnings about the certificates expiring since June 2025.
The dashboard serves as a valuable triage tool for IT teams, enabling them to export device data for collaboration with infrastructure and platform teams. Prioritizing action on machines categorized as Exposed Devices is essential. However, the pressing question remains: how swiftly will organizations transition their fleets to the 2023 certificates before the June deadline arrives?
