Microsoft releases comprehensive playbook for updating Secure Boot certificates on Windows Server before June 2026 expiration, requiring manual intervention unlike Windows PCs.
Organizations running Windows Server must prepare for Secure Boot certificate updates before the 2011 certificates expire in June 2026, as Microsoft has released a detailed playbook outlining the necessary steps and available tools for this critical security maintenance task.
Unlike Windows PCs that receive updates automatically through Controlled Feature Rollout, Windows Server requires manual intervention from IT administrators to update Secure Boot certificates. This distinction creates an important operational difference that organizations need to plan for well in advance of the expiration deadline.
Understanding the Security Context
Secure Boot is a fundamental security capability that works with UEFI to validate firmware and boot components before they execute. The system uses cryptographic trust anchors, known as certificate authorities, to ensure only trusted code runs during the server startup process. This validation significantly reduces the risk of malware executing at the earliest stages of system boot.
These certificates, like all cryptographic assets, have defined lifetimes and must be refreshed periodically to maintain security alignment. The 2023 Secure Boot CAs need to be present on applicable Windows Server systems before the 2011 CAs expire, as systems remaining on the older certificates after June 2026 will operate with a degraded security posture.
Current Certificate Status
Windows Server 2025 certified server platforms already include the 2023 certificates in firmware, providing a head start for organizations planning upgrades. However, most existing server infrastructure will require manual updates, as Windows Server does not receive these certificates automatically like Windows PCs do.
Five-Step Update Process
The playbook outlines a comprehensive five-step approach to managing this transition:
Step 1: Inventory and Environment Preparation
Begin by verifying which servers are Secure Boot enabled and checking the status of their Secure Boot certificates. The UEFICA2023Status registry key provides the ultimate goal value of "updated" for all applicable servers. Organizations should build a small, representative sample of devices showing "not updated" status to validate the update process before broader deployment.
Starting with servers hosting less impactful workloads allows for safe testing and validation of the update procedure.
Step 2: Monitoring and Status Checking
For organizations managing multiple servers, several methods exist to track device status. Registry keys and Windows Event Log events help identify which devices already have the new certificates and which need attention.
The UEFICA2023Status registry key value indicates deployment progress: not started, in progress, or updated. Successful deployment is confirmed through Event ID 1808 in the Windows System Event Log, which indicates the required new Secure Boot certificates have been applied to the device's firmware.
Step 3: OEM Firmware Updates
Before updating certificates, check and apply any needed firmware updates. Updated firmware can prevent compatibility problems and help ensure new Secure Boot certificates are accepted. Microsoft is partnering with OEMs to provide platform-specific information, though support for firmware updates on older products varies by manufacturer.
Some firmware updates may set new Secure Boot defaults to include updated certificates, while others may be necessary if there are known issues with firmware handling Secure Boot certificate updates.
Step 4: Deployment Planning and Piloting
Once servers needing updates are identified, organizations can choose between registry keys or Group Policy for deployment. The playbook recommends piloting the chosen method on a small representative set of devices first to build confidence before broader deployment.
In typical enterprise deployments, Secure Boot certificates are generally applied within approximately 12 hours after the setting is applied. If a reboot is required, organizations can wait for the next scheduled restart or perform an unplanned reboot to complete the process.
Step 5: Troubleshooting and Remediation
Common issues can be identified and resolved using registry keys and Windows Event Log events. The UEFICA2023Error registry key only exists when there are errors, providing a clear indicator of problems requiring attention.
Event ID 1795 indicates errors when Windows attempts to hand off certificates to firmware, suggesting a firmware update may be needed. Event ID 1803 indicates issues with Key Exchange Key certificate deployment, requiring consultation with the device manufacturer.
Available Deployment Methods
Organizations have four primary options for deploying Secure Boot certificate updates:
Registry Keys: Set the AvailableUpdates registry key value to 0x5944 to deploy all needed certificates and update to the Windows UEFI CA 2023 signed boot manager. This corresponds to the Group Policy setting Enable Secure Boot certificate deployment.
Group Policy: Navigate to Computer Configuration > Administrative Templates > Windows Components > Secure Boot and enable the policy. This setting corresponds to the registry key AvailableUpdates and allows Windows to automatically begin the certificate deployment process. Windows Configuration System (WinCS): New command-line tools are available for domain-joined Windows Server instances running on Windows Server 2022, including both traditional executable and PowerShell module options.
New VM Deployment: For virtualization platforms, starting new instances using the latest VM versions that natively support the Secure Boot 2023 certificates may be the best option.
Critical Considerations
IT administrators must avoid mixing deployment methods on the same device, as this can lead to unpredictable results. The playbook emphasizes starting small, verifying success, and then deploying to validated server instances of the same type.
Organizations should also be aware that firmware update support on older products is determined by the OEM, and some manufacturers may have ended firmware support for specific systems, making updates unavailable.
Getting Started
The playbook provides a clear path forward for organizations to begin preparation today, well in advance of the June 2026 expiration date. By following the outlined steps and utilizing the available tools, IT teams can ensure their Windows Server infrastructure maintains proper security posture through this critical certificate transition.
For the latest information and resources, organizations can bookmark https://aka.ms/GetSecureBoot as their landing page for Windows Secure Boot certificate updates.
The comprehensive nature of this guidance reflects the critical importance of maintaining Secure Boot functionality across Windows Server environments, particularly as the expiration deadline approaches and the security implications of delayed updates become more significant.
Comments
Please log in or register to join the discussion