Microsoft Guide for Windows Server Secure Boot Certificates
Microsoft's Secure Boot certificates expire in June and need to be replaced. Microsoft provides a guide for server admins.
(Image: Dirk Knop / heise medien)
Microsoft has released a “Playbook” for handling the Secure Boot certificates of Windows Servers, which expire in June 2026. It is intended to help IT administrators in organizations replace the certificates on Windows Server versions before they expire in June.
A current blog post in Microsoft's Techcommunity explains available tools and options. The authors qualify that the guide is not applicable to Azure Local Hosts, Windows PCs, or first-generation Hyper-V VMs.
Expiring Certificates: Manual Intervention Required
Microsoft explains that the Secure Boot certificates are issued with a predefined validity period, like other cryptographic objects. Periodic replacement helps to meet current security requirements. Therefore, organizations must ensure that the 2023 Secure Boot CAs are present on the Windows Server systems before the old CAs from 2011 expire. “Systems on the 2011 CAs after June 2026 are at risk of running on degraded security posture,” the authors state.
Windows Server 2025 on certified server platforms already comes with the 2023 certificates in the firmware. On servers where this is not the case, IT administrators must update the certificates manually, as Windows Server does not receive them automatically. Unlike Windows PCs, which receive Secure Boot certificate updates as part of the Controlled Feature Rollout (CFR) within monthly updates, Windows Servers require manual intervention.
Microsoft then provides a step-by-step, traceable guide. It begins with inventory and preparation of the environment. It then proceeds to monitoring and checking the secure boot status of the devices, followed by applying necessary OEM firmware updates before the certificate updates. This is followed by planning and supporting the secure boot certificate distribution, and finally ends with troubleshooting and resolving common issues.
Videos by heise
Admins with Windows Servers on the network should study the guide and start implementing it in the foreseeable future. For Windows desktop systems, Microsoft already began distributing updated Secure Boot certificates at the end of January. With the awareness for the upcoming certificate exchange, Microsoft also started back in June last year.
(dmk)
