Microsoft Secure Boot Certificate Refresh Ahead of 2011 Certificate Expiration
Microsoft has started deploying updated Secure Boot certificates via regular monthly Windows updates to replace the original 2011-era certificates that begin expiring in late June 2026. Secure Boot, introduced in 2011 for UEFI-based systems, helps prevent pre-OS malware (e.g., bootkits/rootkits) by allowing only trusted, properly signed boot components to load, using a certificate chain anchored in UEFI firmware and validated against trusted signature databases.
The expiring components include Microsoft-issued certificates used in the Secure Boot trust chain (including the Key Exchange Key (KEK) and Microsoft UEFI CA/Production CA certificates), which are present on most PCs built since 2011 and also affect many Linux distributions that rely on Microsoft’s UEFI signing ecosystem. Microsoft says the refresh will be automatic for in-support Windows devices where updates are Microsoft-managed, while organizations can also control deployment through their own management tooling; the effort is positioned as a large-scale ecosystem maintenance activity involving coordination across many OEM firmware configurations.
Related Entities
Organizations
Affected Products
Sources
1 more from sources like microsoft support
Related Stories
Microsoft Rolls Out Automatic Secure Boot Certificate Replacement in Windows 11
Microsoft began **automatically replacing expiring Secure Boot certificates** on eligible **Windows 11 24H2 and 25H2** devices via Windows quality updates, using a phased rollout that targets “high-confidence” devices based on successful update signals. The change follows earlier warnings that commonly used Secure Boot trust anchors will start expiring in **June 2026**, which could disrupt secure boot validation on UEFI systems if not remediated. Secure Boot relies on firmware-stored certificates to verify bootloader signatures and prevent pre-boot malware (e.g., rootkits) from loading. Microsoft warned that failing to update these certificates can lead to loss of **Windows Boot Manager trust** and **Secure Boot protections**, and may prevent devices from receiving future security updates for pre-boot components—creating both availability and security risk. For organizations that need tighter control, Microsoft also provides **manual deployment options** (e.g., via registry-based methods and enterprise management tooling such as policy/configuration controls) to ensure certificate updates are applied ahead of expiration and to validate Secure Boot status across fleets.
2 months ago
Windows 11 25H2/24H2 Preview Updates Add AI Features and Flag Secure Boot Certificate Expiration
Microsoft began rolling out **Windows 11 preview updates** for versions **25H2 and 24H2** (including the optional non-security preview update `KB5074105` and Release Preview builds `26200.7701`/`26100.7701`) focused on functionality, performance, and reliability improvements rather than patching new security vulnerabilities. The updates emphasize expanded **AI-driven experiences** (including refinements to Copilot+ PC-related models and more natural-language assistance within Settings), along with usability changes and a simplified Windows update title format intended to reduce administrative friction in tools like **WSUS** and **Microsoft Configuration Manager**. Alongside these feature updates, Microsoft highlighted an operational security risk: **Windows Secure Boot certificates** used by most Windows devices are expected to begin expiring in **June 2026**, and organizations that do not update Certificate Authority (CA) material in time may face devices that cannot boot securely. Separately, consumer guidance circulated on bypassing Windows 11 hardware eligibility checks (notably **TPM 2.0** requirements) to upgrade “unsupported” PCs; while this may extend device usability after Windows 10 support ended, it can also undermine Microsoft’s intended security baseline and increase enterprise risk if adopted outside controlled policy.
1 months agoCISA and NSA Guidance on Managing UEFI Secure Boot to Counter Bootkit Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), has released new guidance urging enterprises to verify and actively manage UEFI Secure Boot configurations to defend against persistent bootkit threats. The guidance, published as a Cybersecurity Information Sheet, highlights the risks posed by vulnerabilities such as PKFail, BlackLotus (CVE-2023-24932), and BootHole, which have enabled attackers to bypass Secure Boot protections through misconfigurations, outdated certificates, or the use of test keys. The agencies emphasize that default or neglected Secure Boot settings leave organizations exposed to firmware-level malware that can evade traditional security controls, and recommend routine audits and validation of Secure Boot variables using tools provided by the NSA. The guidance also addresses operational challenges, noting that many enterprises still rely on outdated 2011 Microsoft certificates or have Secure Boot disabled, making them susceptible to both known and emerging threats. Additional real-world examples, such as the HybridPetya ransomware and the Bombshell UEFI shell, underscore the urgency of moving firmware security to the forefront of enterprise cybersecurity policy. Administrators are advised to confirm Secure Boot enforcement, export and analyze configuration variables, and ensure only trusted certificates and hashes are present, thereby strengthening the root of trust and mitigating supply chain and boot-time attack risks.
3 months ago