Microsoft has begun automatically rotating expiring Secure Boot certificates on eligible systems running Windows 11 versions 24H2 and 25H2, marking a critical step in maintaining platform integrity and pre-boot security across modern Windows environments.
Secure Boot certificate lifecycle and security impact
Secure Boot is a foundational UEFI security control designed to prevent malicious pre-boot components—such as bootkits and rootkits—from executing during system startup. It enforces a chain of trust by validating bootloaders and pre-OS components against cryptographic certificates stored in device firmware. Only software signed by trusted certificates is allowed to run, effectively blocking unauthorized or tampered code before the operating system loads.
Microsoft previously warned enterprise administrators that the Secure Boot certificates used by most Windows devices are scheduled to expire beginning in June 2026. Without proactive updates, affected devices could fail to boot securely or lose protection against pre-boot malware, creating a high-risk security gap at the firmware level.
Automatic certificate rotation in Windows 11
With the latest Windows quality updates, Microsoft has introduced an automated mechanism to replace expiring Secure Boot certificates on supported devices. This process relies on a subset of high-confidence device targeting signals to identify systems eligible for certificate updates.
Only devices that demonstrate consistent and successful update behavior will receive the new certificates automatically. This phased rollout is designed to reduce operational risk, prevent firmware compatibility issues, and ensure system stability during the transition. The approach reflects current best practices for large-scale cryptographic updates in enterprise environments, where controlled deployment is essential.
Risks of not updating Secure Boot certificates
Organizations that fail to update Secure Boot certificates before expiration face significant consequences. Once certificates expire, Secure Boot–enabled systems may no longer trust updated bootloaders, including the Windows Boot Manager. As a result, these devices could stop receiving security updates for pre-boot components, weakening both serviceability and overall system security.
Microsoft has explicitly warned that unmanaged expiration may lead to loss of Secure Boot protections, increasing exposure to low-level persistence mechanisms that are difficult to detect or remediate using traditional endpoint security tools.
Enterprise deployment options and controls
While Windows Update will handle certificate rotation for high-confidence devices, enterprise IT teams retain full control over deployment. Secure Boot certificates can be distributed manually using registry-based configurations, the Windows Configuration System (WinCS), or Group Policy. This flexibility allows organizations to align certificate updates with internal change management processes and compliance requirements.
According to Microsoft’s Secure Boot operational guidance, administrators should begin by inventorying all endpoints, verifying Secure Boot status through PowerShell commands or registry inspection, and ensuring that OEM firmware is fully up to date. Firmware updates from hardware manufacturers are a prerequisite, as outdated UEFI firmware may not support the new certificate chain.
Alignment with modern endpoint security strategy
This certificate rotation initiative underscores the increasing importance of firmware and boot-level security in modern threat models. As attackers continue to target pre-OS components to evade detection, maintaining a valid and trusted Secure Boot configuration is essential for defending against advanced persistence techniques.
By automating certificate updates while preserving administrative control, Microsoft is reinforcing Secure Boot as a long-term security control rather than a static configuration—aligning with zero trust principles and contemporary endpoint hardening strategies.