Microsoft has begun automatically replacing expiring Secure Boot certificates on eligible Windows 11 systems, specifically versions 24H2 and 25H2. Secure Boot is a critical security feature designed to prevent malicious software, such as rootkits, from loading during the system startup process by verifying digital signatures of bootloaders against trusted certificates stored in the device's firmware. This proactive measure addresses concerns raised in November about certificates expiring in June 2026, which could impact the bootability of many devices, as reported by Bleeping Computer.The automatic update process targets devices demonstrating sufficient successful update signals, ensuring a phased and safe deployment. Secure Boot certificates, essential for validating UEFI firmware, are set to expire starting in June 2026. Failure to update these certificates could lead to the loss of Windows Boot Manager and Secure Boot protections, preventing devices from receiving vital security updates for pre-boot components. Microsoft warns that this affects both serviceability and overall security. While automatic updates are rolling out to high-confidence devices, IT administrators also have options to deploy these certificates manually via registry keys, Windows Configuration System, and Group Policy.By automating certificate renewals, Microsoft aims to mitigate widespread security risks associated with expiring trust anchors. Organizations are still advised to follow best practices, including inventorying devices and verifying Secure Boot status, to ensure uninterrupted protection and compliance with security standards.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



