Organizations running Windows Server should prepare now for a critical security update involving Secure Boot certificates. Microsoft has issued guidance, dubbed a “playbook,” to help IT administrators replace expiring certificates before a June 2026 deadline. The update is essential to maintain the security posture of servers and prevent potential vulnerabilities.
The need for this update stems from the natural lifecycle of cryptographic assets like Secure Boot certificates. These certificates, which verify the integrity of firmware and boot components, are issued with defined expiration dates. Failing to update them could leave systems vulnerable to malware executing early in the startup process. According to Microsoft, systems still relying on the older 2011 certificates after June 2026 will operate with a “degraded security posture.”
A recent blog post in Microsoft’s TechCommunity details the available tools and options for administrators. The guidance specifically notes that the playbook does not apply to Azure Local hosts, Windows PCs, or first-generation Hyper-V virtual machines.
Manual Updates Required for Most Servers
Unlike Windows PCs, which receive Secure Boot certificate updates automatically through Controlled Feature Rollout (CFR) as part of their monthly updates, Windows Server requires manual intervention. Microsoft explains that Windows Server does not automatically receive the updated certificates. So IT departments must proactively manage the update process.
The good news is that servers running Windows Server 2025, certified on newer platforms, already include the 2023 certificates in their firmware. But, for servers that don’t, administrators will need to manually update the certificates to ensure continued security. Microsoft’s playbook outlines a step-by-step approach, beginning with inventory and environment preparation, followed by monitoring and verification of Secure Boot status. The process similarly includes applying necessary OEM firmware updates before the certificate updates themselves, planning and executing the certificate distribution, and troubleshooting common issues.
The coordinated effort to address this issue extends beyond Microsoft. The company has worked closely with server ecosystem partners to ensure a smooth transition. Many newer server hardware and virtual machine versions, built since 2024 and almost all released in 2025, are already preconfigured with the 2023 Secure Boot certificates. Device manufacturers and firmware partners have also collaborated to provide upgrade paths for existing deployments.
Administrators with Windows Servers in their network should study the Microsoft playbook and begin planning for implementation. Microsoft began distributing updated Secure Boot certificates for Windows desktop systems in late January, according to a report from Heise Online. The company also started raising awareness about the upcoming certificate exchange back in June of last year.
The Secure Boot process is a foundational security pillar for Windows Server systems running on physical hardware and virtual environments. By proactively addressing the expiring certificates, organizations can minimize operational risk and maintain the high security standards expected of modern server platforms.
The next key date to watch is June 2026, when the older 2011 certificates will begin to expire. Organizations should aim to have the updated certificates in place well before this date to avoid any disruption to service or potential security breaches.
Have questions or insights about the Secure Boot certificate update? Share your thoughts in the comments below.
