Microsoft has started automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 systems.

Secure Boot is a security feature that blocks malicious software (like rootkit malware) from executing during the system startup sequence by ensuring that only trusted bootloaders can load on computers with UEFI firmware. This is done by checking the software's digital signature against a set of trusted digital certificates that are stored in the device's firmware.

Today's announcement comes after Microsoft warned IT admins in November to update the security certificates used to validate UEFI firmware before they expire.

"Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated in time," Microsoft said.

"Starting with this update, Windows quality updates include a subset of high confidence device targeting data that identifies devices eligible to automatically receive new Secure Boot certificates. Devices will receive the new certificates only after demonstrating sufficient successful update signals, ensuring a safe and phased deployment," it added.

IT admins who want to maintain Secure Boot functionality and ensure their endpoints' security should install the new certificates before the old certificates expire this summer.

Failing to do so could result in losing Windows Boot Manager and Secure Boot protections, as security updates for pre-boot components will no longer be provided to Secure Boot-enabled devices.

"Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders which will compromise both serviceability and security," Microsoft explains.

While Microsoft will automatically update high-confidence devices via Windows Update, organizations can also deploy Secure Boot certificates using registry keys, the Windows Configuration System (WinCS), and Group Policy settings.

According to Microsoft's Secure Boot playbook, admins should first inventory their device fleets, verify Secure Boot status using PowerShell commands or registry keys, and then apply manufacturer firmware updates before installing Microsoft's certificate updates.