Endpoint/Device Security

Microsoft automates Secure Boot certificate updates for Windows 11

Microsoft has begun automatically replacing expiring Secure Boot certificates on eligible Windows 11 systems, specifically versions 24H2 and 25H2. Secure Boot is a critical security feature designed to prevent malicious software, such as rootkits, from loading during the system startup process by verifying digital signatures of bootloaders against trusted certificates stored in the device's firmware. This proactive measure addresses concerns raised in November about certificates expiring in June 2026, which could impact the bootability of many devices, as reported by Bleeping Computer.

The automatic update process targets devices demonstrating sufficient successful update signals, ensuring a phased and safe deployment. Secure Boot certificates, essential for validating UEFI firmware, are set to expire starting in June 2026. Failure to update these certificates could lead to the loss of Windows Boot Manager and Secure Boot protections, preventing devices from receiving vital security updates for pre-boot components. Microsoft warns that this affects both serviceability and overall security. While automatic updates are rolling out to high-confidence devices, IT administrators also have options to deploy these certificates manually via registry keys, Windows Configuration System, and Group Policy.

By automating certificate renewals, Microsoft aims to mitigate widespread security risks associated with expiring trust anchors. Organizations are still advised to follow best practices, including inventorying devices and verifying Secure Boot status, to ensure uninterrupted protection and compliance with security standards.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds