Table of Contents
Why Are My Windows Server Secure Boot Certificates Expiring and How Do I Fix Them?
Windows Server administrators must manually update their 2011 Secure Boot certificates to the 2023 versions before they expire in June 2026 to maintain early boot security. Unlike consumer PCs, Windows Server environments do not receive these critical cryptographic updates automatically through Windows Update, requiring deliberate IT intervention.
Secure Boot Certificate Expiration
The original Secure Boot certificates issued 15 years ago reach their end of life in June 2026. This expiration affects the Key Exchange Keys and Authorized Signatures database deployed within the Unified Extensible Firmware Interface (UEFI) of most older server hardware. Hardware manufactured from 2025 onward typically includes the updated 2023 certificates by default.
Impact of Expired Certificates
Servers with expired certificates will continue to boot but immediately lose their cryptographic trust status. This degradation disables security protections for the early boot process, directly impacting BitLocker hardening and boot-level code integrity validation. Affected servers also stop receiving vital security updates for the Windows boot manager and Secure Boot revocation lists.
The Manual Update Requirement
Microsoft uses Controlled Feature Rollout to deliver certificate updates automatically to Windows client devices, but this mechanism completely excludes Windows Server deployments. System administrators must take deliberate action to deploy the required 2023 Secure Boot certificates across their server infrastructure. IT teams should review Microsoft’s official Secure Boot playbook published in February 2026 for detailed implementation guidance.
Required Administrator Actions
IT professionals must first verify that their Windows Server instances have the latest cumulative updates installed before proceeding. Administrators can then trigger the certificate deployment by modifying the registry key AvailableUpdates under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot to a value of 0x5944. Some systems also require a firmware or BIOS update from the hardware manufacturer before they can safely apply the new Microsoft certificates.
Automated Verification Methods
Administrators can utilize PowerShell scripts to verify the current status of installed UEFI certificates across their server fleet. Technology vendors like Dell and VMware provide specific documentation for checking certificate compatibility on their proprietary hardware and hypervisors. The open-source community also maintains reliable audit tools on GitHub, such as the Check-SecureBootCerts.ps1 script, to help verify server compliance before the June deadline.