Microsoft has initiated a proactive measure to enhance security for users of Windows 11 24H2 and 25H2 systems by automatically replacing expiring Secure Boot certificates on eligible devices. This significant update aims to bolster the integrity of the boot process, a critical aspect of system security.
Understanding Secure Boot
Secure Boot serves as a vital line of defense against malicious software, such as rootkits, that can compromise a system during startup. By ensuring that only trusted bootloaders are executed on machines equipped with UEFI firmware, Secure Boot verifies the digital signatures of software against a repository of trusted certificates embedded within the device’s firmware.
This announcement follows a prior advisory issued by Microsoft in November, which urged IT administrators to update the security certificates that validate UEFI firmware before they reach their expiration date. The company highlighted that many Secure Boot certificates are set to expire starting in June 2026, potentially jeopardizing the secure booting capabilities of various personal and business devices if timely updates are not performed.
With the latest update, Microsoft has integrated a mechanism within Windows quality updates that includes a targeted approach to identify devices eligible for automatic receipt of new Secure Boot certificates. These updates will be rolled out to devices that demonstrate a history of successful update signals, ensuring a careful and secure deployment process.
For IT administrators keen on preserving the functionality of Secure Boot and safeguarding their endpoints, it is imperative to install the new certificates ahead of the impending expiration this summer. Neglecting to do so could lead to the loss of Windows Boot Manager and the protective measures offered by Secure Boot, as security updates for pre-boot components will cease for devices that rely on Secure Boot.
Microsoft cautions that without these updates, devices enabled with Secure Boot may not receive critical security updates or trust new boot loaders, thereby compromising both their serviceability and overall security posture.
While the automatic update process will facilitate the transition for high-confidence devices, organizations retain the option to deploy Secure Boot certificates through various methods, including registry keys, the Windows Configuration System (WinCS), and Group Policy settings.
According to Microsoft’s Secure Boot playbook, IT administrators should commence by inventorying their device fleets, verifying the Secure Boot status through PowerShell commands or registry keys, and subsequently applying any necessary manufacturer firmware updates before proceeding with the installation of Microsoft’s certificate updates.
