Expired Secure Boot Certificates Will Put Windows Server Environments at Risk — What Admins Need to Do Now

Windows Servers relying on legacy Secure Boot certificates must be updated before June this year.

Security hero image

Key Takeaways:

  • Secure Boot certificates from 2011 begin expiring in June 2026, impacting Windows Server environments.
  • Admins must manually update affected servers to avoid degraded boot-level security.
  • Delays could disrupt recovery, clustering, and compliance posture.

Microsoft is urging Windows Server administrators to prepare for upcoming Secure Boot certificate expirations. The expiration of the original Secure Boot certificates that were introduced in 2011 will begin in June 2026.

Secure Boot is a security feature built into a device’s UEFI firmware that ensures only trusted, digitally signed software can run during the earliest stages of startup, which prevents malware from loading before the operating system begins. It works by using cryptographic certificates stored in firmware to validate each boot component, and blocks anything that isn’t signed by an approved authority.

Microsoft has warned that the Secure Boot certificates will reach their end of support deadline in June 2026. Once expired, servers relying on them will transition into a degraded security state where they can no longer benefit from the latest boot‑level protections. Microsoft mentioned that updating the certificates used to validate firmware and bootloaders helps to maintain the integrity of the Secure Boot process. It also lets organizations protect their systems from rootkits and other low-level threats.

Microsoft and OEMs coordinate ecosystem-wide transition

Microsoft has partnered with device manufacturers and firmware vendors to provide supported upgrade paths for older systems and maintain security across diverse environments. This collaboration aims to minimize operational risk during the transition phase.

“Because Windows Server instances do not receive the 2023 Secure Boot certificates through Controlled Feature Rollout (CFR)—unlike Windows PCs—IT administrators must take action on servers that are in scope. As part of standard maintenance, administrators should first ensure their servers are fully up to date by installing the latest cumulative updates,” Microsoft explained.

Manual updates required for Windows Server environments

Microsoft also recommends that administrators manually begin the Secure Boot certificate update on servers that don’t already have the 2023 certificates. The company also recommends reviewing the available methods for updating Secure Boot certificates and planning the update process early to avoid potential boot issues once the changes are enforced.

Microsoft held Secure Boot AMA sessions in December 2025 and February 2026 to answer technical questions about certificate updates, and recordings of these events are available for on‑demand viewing.

Operational and compliance risks of delayed action

As Secure Boot certificates age out, Windows Server machines depending on outdated trust anchors risk entering a degraded security state where new boot‑level protections cannot be applied, which can directly complicate disaster recovery and failover operations. When a cluster node, backup image, or recovery VM boots using expired Secure Boot certificates, the system may fail to validate boot components reliably, which potentially blocks restores or causes nodes to fail quorum checks.

The challenges grow in dual‑boot setups, older hypervisors, and air‑gapped environments, where firmware updates and certificate rotations are not always applied uniformly that increases the likelihood of mismatched trust chains across systems. These inconsistencies can raise compliance and audit risks, as many regulatory frameworks require verifiable, up‑to‑date cryptographic controls and secure baseline configurations. Keep in mind that running on expired Secure Boot certificates could be flagged as a lapse in required security posture and weaken evidence of proper system hardening.