Microsoft Rolls Out Automatic Secure Boot Certificate Replacement in Windows 11
Microsoft began automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 devices via Windows quality updates, using a phased rollout that targets “high-confidence” devices based on successful update signals. The change follows earlier warnings that commonly used Secure Boot trust anchors will start expiring in June 2026, which could disrupt secure boot validation on UEFI systems if not remediated. Secure Boot relies on firmware-stored certificates to verify bootloader signatures and prevent pre-boot malware (e.g., rootkits) from loading.
Microsoft warned that failing to update these certificates can lead to loss of Windows Boot Manager trust and Secure Boot protections, and may prevent devices from receiving future security updates for pre-boot components—creating both availability and security risk. For organizations that need tighter control, Microsoft also provides manual deployment options (e.g., via registry-based methods and enterprise management tooling such as policy/configuration controls) to ensure certificate updates are applied ahead of expiration and to validate Secure Boot status across fleets.
Timeline
Jan 13, 2026
Microsoft warns June 2026 certificate expirations could weaken boot security
Microsoft said commonly used Secure Boot trust anchors are expected to begin expiring in June 2026, which could disrupt secure booting, reduce Windows Boot Manager and Secure Boot protections, and block future pre-boot security updates if devices are not updated. The company also advised organizations to inventory devices, verify Secure Boot status, apply OEM firmware updates, and use manual deployment options such as registry keys, WinCS, or Group Policy where needed.
Jan 13, 2026
Microsoft begins phased Secure Boot certificate updates for Windows 11
Microsoft started automatically rolling out refreshed UEFI Secure Boot certificates to eligible Windows 11 24H2 and 25H2 devices through monthly quality updates. The phased deployment uses targeting and update-success signals to identify systems ready for the certificate replacement.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft Secure Boot Certificate Refresh Ahead of 2011 Certificate Expiration
Microsoft has started deploying updated **Secure Boot** certificates via regular monthly Windows updates to replace the original 2011-era certificates that begin expiring in **late June 2026**. Secure Boot, introduced in 2011 for UEFI-based systems, helps prevent pre-OS malware (e.g., bootkits/rootkits) by allowing only trusted, properly signed boot components to load, using a certificate chain anchored in UEFI firmware and validated against trusted signature databases. The expiring components include Microsoft-issued certificates used in the Secure Boot trust chain (including the **Key Exchange Key (KEK)** and Microsoft **UEFI CA/Production CA** certificates), which are present on most PCs built since 2011 and also affect many Linux distributions that rely on Microsoft’s UEFI signing ecosystem. Microsoft says the refresh will be automatic for in-support Windows devices where updates are Microsoft-managed, while organizations can also control deployment through their own management tooling; the effort is positioned as a large-scale ecosystem maintenance activity involving coordination across many OEM firmware configurations.
1 weeks ago
Windows 11 25H2/24H2 Preview Updates Add AI Features and Flag Secure Boot Certificate Expiration
Microsoft began rolling out **Windows 11 preview updates** for versions **25H2 and 24H2** (including the optional non-security preview update `KB5074105` and Release Preview builds `26200.7701`/`26100.7701`) focused on functionality, performance, and reliability improvements rather than patching new security vulnerabilities. The updates emphasize expanded **AI-driven experiences** (including refinements to Copilot+ PC-related models and more natural-language assistance within Settings), along with usability changes and a simplified Windows update title format intended to reduce administrative friction in tools like **WSUS** and **Microsoft Configuration Manager**. Alongside these feature updates, Microsoft highlighted an operational security risk: **Windows Secure Boot certificates** used by most Windows devices are expected to begin expiring in **June 2026**, and organizations that do not update Certificate Authority (CA) material in time may face devices that cannot boot securely. Separately, consumer guidance circulated on bypassing Windows 11 hardware eligibility checks (notably **TPM 2.0** requirements) to upgrade “unsupported” PCs; while this may extend device usability after Windows 10 support ended, it can also undermine Microsoft’s intended security baseline and increase enterprise risk if adopted outside controlled policy.
1 months ago
October 2025 Windows 11 Security and Feature Updates Deployment
Microsoft released cumulative updates KB5066835 and KB5066793 for Windows 11 versions 25H2/24H2 and 23H2 as part of the October 2025 Patch Tuesday. These updates are mandatory and address a range of security vulnerabilities discovered in previous months, ensuring that systems remain protected against the latest threats. The updates can be installed automatically through Windows Update or manually via the Microsoft Update Catalog, providing flexibility for both end users and enterprise administrators. After installation, the build numbers for Windows 11 25H2 and 24H2 are updated to Build 26200.6899 and 26100.6899, respectively, while 23H2 is updated to 226x1.6050. This release marks the first Patch Tuesday update for version 25H2, which shares its codebase with 24H2, resulting in identical fixes and improvements across both versions. Notably, this is the penultimate update for Windows 11 23H2, as its support is scheduled to end in November 2025. The update resolves several issues, including a bug that caused the print preview screen to freeze in Chromium-based browsers, and a problem where apps and games became unresponsive if users signed in with only a Gamepad at the lock screen. PowerShell Remoting and Windows Remote Management (WinRM) timeouts have been addressed, improving reliability for remote administration tasks. An issue preventing audit events from being logged has also been fixed, enhancing system monitoring and compliance. The update improves the setup process for Windows Hello face recognition, particularly when using USB infrared camera modules, ensuring smoother biometric authentication. Microsoft emphasizes the importance of keeping security intelligence up to date in its antimalware products, such as Microsoft Defender Antivirus, to maintain robust protection against evolving threats. Security intelligence updates are delivered automatically via Windows Update, but users and administrators can also trigger manual updates to ensure immediate coverage. These updates leverage cloud-based protection and AI-enhanced detection to rapidly identify and mitigate new malware and attack techniques. Microsoft provides troubleshooting resources for users experiencing issues with automatic updates, ensuring that security patches and intelligence updates are applied promptly. The integration of third-party materials in security intelligence updates is disclosed, maintaining transparency in the update process. Overall, the October 2025 Patch Tuesday updates represent a comprehensive effort by Microsoft to address security vulnerabilities, improve system stability, and enhance user experience across supported Windows 11 versions.
1 months ago