Microsoft has begun the automatic replacement of expiring Secure Boot certificates on compatible Windows 11 24H2 and 25H2 devices. This proactive measure ensures that systems remain protected against rootkits and unauthorized bootloaders before the current security credentials begin to expire in mid-2026.
Secure Boot serves as a critical defense mechanism by preventing malicious software from running during a computer’s startup process. It functions by verifying that every piece of software used to boot the machine carries a valid digital signature that matches a trusted certificate stored in the firmware. Without these valid certificates, a device cannot confirm the integrity of its own bootloader, leaving it vulnerable to sophisticated attacks that trigger before the operating system even loads.
The current transition follows a prior warning from Microsoft regarding the upcoming expiration of certificates used by the majority of Windows devices. If these digital credentials are not refreshed by the summer of 2026, many personal and enterprise computers may lose the ability to boot securely. This could lead to a scenario where the Windows Boot Manager is no longer trusted, effectively cutting off the device from receiving necessary security updates for pre-boot components.
To manage this risk, Microsoft is integrating certificate updates into standard Windows quality updates for specific high-confidence devices. The rollout is designed to be phased and cautious, only triggering the update after a system has demonstrated a history of successful and stable update signals. This automated process is intended to reduce the burden on users while maintaining the continuous serviceability and security of the platform.
For professional IT environments, administrators have several manual methods available to ensure their fleets remain compliant and secure. Beyond the automated Windows Update path, organizations can deploy the necessary certificates through Group Policy settings, the Windows Configuration System, or specific registry keys. Relying solely on automation may not cover every device, making these administrative tools essential for maintaining full coverage across a corporate network.
Microsoft recommends that technical teams begin by taking an inventory of their hardware and verifying the current status of Secure Boot using PowerShell. Before applying the new Microsoft certificates, it is advised that administrators first install any available firmware updates provided by the device manufacturers. Following this structured playbook will help prevent boot failures and ensure that all endpoints continue to trust authorized boot loaders well into the future.
Source: New Windows Updates Replace Expiring Secure Boot Certificates