Microsoft has announced that the original Secure Boot certificates will start expiring in June 2026, which could lead to future boot components being blocked if updated certificates are not installed. This means that systems without the new certificates may stop receiving critical security updates and potentially reject newer signed components. Microsoft and OEM partners are deploying updates, and it's recommended to let Windows Update manage the installation of Secure Boot certificates. I'm interested in hearing how others are preparing for or have already addressed this issue, especially at scale. Thanks!
12 Answers
I think this is mainly going to affect air-gapped or offline computers. If your systems are receiving Windows updates regularly, this shouldn't be a concern, right?
I've set the registry key "HKLMSYSTEMCurrentControlSetControlSecureBootAvailableUpdates" to 0x5944, and it works fine on physical hardware. As for VMware, we haven't looked into it since we plan to migrate off that platform by 2026 anyway.
We’ve got no Windows servers in our setup; just individual PCs where everyone is an admin. It's up to each person to handle their own updates automatically.
Hey all, how do we even check if we've got the right certificates in place?
Dell has already rolled out new certificate bundles in their latest BIOS updates, which we automate through Dell Command Update. So honestly, for us, it's not an issue. We're all set!
That’s good to hear! Are you guys still supporting older systems or just focusing on newer models?
We're pushing firmware updates via Dell Command Update and Lenovo Commercial Vantage, plus I'm testing registry key deployments for the new certificates. Fingers crossed it works!
Honestly, I just disabled Secure Boot altogether. Problem solved!
Ha! I like that approach. I’d hire you in a heartbeat!
If you're already managing patches at scale, this shouldn't be a big deal. What’s the sales pitch to ease my mind about it? Just need it sorted quickly!
Let's push this forward and get it done!
I enabled the Microsoft Managed opt-in policy along with allowing BIOS updates through Windows Update. Let’s hope that’s enough! I'm also phasing out some older devices that are out of OEM support but still get updates from Microsoft.
We're already on Intune with AutoPatch for driver updates enabled, so we won't have to do much. Thank goodness for automated solutions!
Like many, I'm just waiting for the updates to roll out from joshtaco first before moving forward.
Really? We have a strict policy where nobody is an admin on their PC, not even me.