cryptographic certificates Archives

Winsage

May 28, 2026

Windows Server 2016 Update: Disastrous Bug Breaks AD

Microsoft released a mandatory patch (KB5087537) for Windows Server 2016 to enhance cryptographic layers and address critical vulnerabilities. This update is essential for organizations using legacy workloads, as mainstream support ended in January 2022, but extended support continues until January 12, 2027. The patch aims to prepare systems for the expiration of Windows Secure Boot certificates in June 2026, which, if not updated, could compromise security and expose systems to malware. The update uses a phased deployment model and includes a new SecureBoot folder to assist IT professionals in managing certificate status. It also addresses various quality-of-life issues, including bugs affecting Remote Desktop Connection and authentication errors with Microsoft services. However, a significant issue arises when the host server name is exactly 15 characters long, causing failures in the domain controller discovery process and obstructing critical operations. This bug is linked to the historical 15-character limit of NetBIOS, which affects the Active Directory lookup mechanism. Microsoft has acknowledged the issue but has not provided a timeline for a fix, leaving administrators to either rename servers or uninstall the update. As the Secure Boot deadline approaches, IT departments must carefully assess their environments to avoid disruptions while ensuring security compliance.

Winsage

March 7, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011, embedded in the motherboard's firmware, to ensure a secure boot process. The first of these certificates will expire on June 24, 2026, which will affect the ability to receive future security updates for critical components of the Windows startup process. Microsoft is rolling out replacement certificates through Windows Update, marking a significant security maintenance effort. Secure Boot operates as a chain of trust with certificates stored in the motherboard's UEFI firmware, validating software before the operating system loads. The Platform Key (PK) is at the top of this chain, followed by the Key Exchange Key (KEK) and the Signature Database (DB). The replacement certificates introduced in 2023 restructure certificate management, separating responsibilities among different certificate authorities to enhance the trust model. Not all PCs are affected by the upcoming expiration; newer devices manufactured since 2024 already have the new certificates. Windows 10 users face challenges as support for this version ends in October 2025, and they will not receive the new certificates unless enrolled in Extended Security Updates. Home users should ensure their PCs are set to receive updates automatically, while enterprise environments require coordination for firmware updates before the Windows certificate update.

Winsage

March 6, 2026

Microsoft’s Secure Boot certificates expire in June 2026, but older PCs may never get the fix

Every Secure Boot-enabled Windows PC relies on cryptographic certificates issued by Microsoft in 2011 for boot process integrity. The first of these certificates will expire on June 24, 2026, impacting the ability to receive future security updates. Microsoft is rolling out replacement certificates through Windows Update, requiring collaboration between Microsoft, PC manufacturers, and users. Three critical certificates will expire: the Microsoft Corporation KEK CA 2011 and Microsoft UEFI CA 2011 in June 2026, and the Microsoft Windows Production PCA 2011 in October 2026. The new certificates introduced in 2023 have a restructured functionality to enhance security. Not all PCs are affected; newer devices manufactured since 2024 come with the new certificates. Windows 10 users face challenges as support ends in October 2025, and unsupported devices will not receive updates. Home users should ensure automatic Windows updates and check for firmware updates, while enterprise environments must verify firmware updates before applying certificate updates. The first certificate expiration is on June 27, 2026.