Secure Boot Certificates: Microsoft Defender Provides Overview
Time is running out: The Secure Boot certificates from 2011 expire in June of this year. Microsoft Defender helps in the enterprise environment.
(Image: Maksim Kabakou / Shutterstock.com)
Microsoft wants to help identify machines with expiring Secure Boot certificates from 2011 in the enterprise environment. Some assistance for networks was already available, and now Microsoft Defender is also intended to help track down affected devices and bring them up to date.
In the Message Center of the Windows Release Health Notes, Microsoft has now announced the new feature for Microsoft Defender. It is a dashboard from which IT managers in networks can view the security status of the devices they manage. IT teams can now view the distribution of Secure Boot certificates from 2023 across their device fleet from a central location, the company explains. A blog post in the Tech Community goes into a bit more detail.
Impact of Expired Secure Boot Certificates
Microsoft explains there that Secure Boot ensures the integrity of a device's boot process by only starting trusted software. If devices do not receive new certificates, they cannot benefit from new security measures for the early boot process. The devices will continue to boot, but can no longer enforce newer protection measures in the early boot phase of the system. Over time, this weakens the device's “root of trust” and exposes it to new classes of attacks that become active before the operating system and full security controls are loaded.
Specifically, malicious or tampered boot components may no longer be reliably blocked if they are not signed with trusted certificates. Devices may be unable to adopt new Secure Boot policies designed to protect against newly discovered threats during the boot process. Additionally, attackers may use techniques at boot time to gain persistence before traditional security controls take effect.
Videos by heise
To prevent this, IT managers should get an overview of which devices have successfully completed the update and which devices still require attention in this regard. Developers have therefore incorporated a new recommendation (Recommendations) into the Microsoft Defender dashboard. This divides devices into three classes: “Exposed Devices” still trust the old Secure Boot certificates without trusting the newer certificates. “Compliant Devices” have the new 2023 certificates and the signed boot manager. “Not applicable Devices”, on the other hand, have Secure Boot disabled or do not support it.
From this recommendation view, admins can take a closer look at “Exposed Devices” and find out which systems still need attention. Filters can be applied by operating system platform and device context to better prioritize countermeasures. Device data can also be exported to share with infrastructure and platform teams. Of course, the distribution process of the Secure Boot certificates can be monitored with this. Microsoft does not state whether this involves additional costs.
Microsoft now covers different network dimensions. On individual computers, for example, the Windows Security app helps to view the status of Secure Boot certificates on the specific machine. However, IT managers must take action themselves, especially on Windows servers, as Microsoft does not distribute the new certificates with automatic Windows updates. Microsoft has already warned since June 2025 that the certificates are expiring. Admins should now complete their preparations and proceed quickly with the distribution of the new Secure Boot certificates.
(dmk)
