Deploying Secure Boot certificate updates across the Windows ecosystem has required coordination across operating systems, device manufacturers, and firmware vendors. The steady and coordinated rollout is strengthening the platform root of trust worldwide.
Many individuals and organizations have already successfully updated certificates for client devices, servers, and virtual machines, with others close behind. Proven deployment and validation tools, automatic certificate installation via Windows updates, and firmware support from our OEM partners are helping us all move forward with confidence. However close you are, finishing Secure Boot certificate deployment remains important. If you’re still on the path to finishing your Secure Boot certificate deployment, stay the course.
What we’ve seen work in practice
Every individual device and organization’s environment is different.
In the commercial realm, across customer conversations, Ask Microsoft Anything (AMAs) events, and hands-on deployments, a few consistent patterns have emerged:
- Early testing builds confidence. Many organizations start with pilots, validate results, and expand rollouts as confidence grows for both Windows and IT teams.
- Layered deployment approaches work best. Teams have successfully deployed OEM firmware updates with Windows security updates, using a mix of automation and staged rollout.
- Multiple tools can lead to success. From Microsoft Intune to Group Policy, Azure automation, and PowerShell, there isn’t a single „right“ tool, only the right fit for your environment.
From talking with many of you, we learned that the diversity of tools and deployment approaches is a key reason the transition has succeeded at scale. Organizations are using a flexible resource set that meets their needs where they are.
For home users and organizations that allow Microsoft to manage Windows updates, the experience has been equally straightforward. A few takeaways stand out:
- Keeping devices up to date delivers the best experience. Individuals running supported versions of Windows and receiving regular Windows updates have generally received the newer certificates automatically. Don’t pause Windows updates; keep them coming!
- Built-in protections simplify the update. Secure Boot is enabled by default on most modern PCs, helping these devices receive the newer certificates without manual configuration. Simply keep Secure Boot enabled or re-enable it if needed.
- Built-in tools help you be ready. The Windows Security app can help you track progress. It can show whether the new certificates have reached your device and whether Secure Boot remains enabled. If anything is preventing devices from receiving and applying the certificates, you can follow embedded instructions to make progress. Note: In enterprise environments, the Windows Security app is disabled by default.
Overall, for most supported Windows Home and Pro PCs and business devices managed by Microsoft, staying protected has been as simple as keeping Windows up to date and Secure Boot enabled.
NOTE: While most Secure Boot-enabled PCs receive the newer certificates through the monthly Windows update process, a small number might require a firmware update from the device manufacturer. The Windows Security app can help identify whether your device is waiting for a firmware update. In some cases, the firmware updates needed to support these changes might not be available for older device models, depending on the manufacturer’s support lifecycle. Reach out to your device manufacturer if you encounter this case.
Our experience at Microsoft
Microsoft’s internal deployment followed many of the same principles described throughout this post. We began with limited deployments, used validation and deployment signals to build confidence, and expanded over time. This phased approach helped us identify issues early, validate readiness, and scale deployment in a measured way.
Along the way, we encountered many of the same edge cases and scenarios that many of you are navigating. Those experiences shaped the tools and guidance we’ve continued to share externally, including:
- New Secure Boot status messages in the Windows Security app that help users understand certificate readiness and identify issues that might require attention.
- Secure Boot certificate update playbooks for both Windows Client and Windows Server, along with tailored guidance for Windows 365 and Azure Virtual Desktop.
- Multiple Ask Microsoft Anything sessions, now available on demand.
- Expanded tools for IT-managed environments, including event logs, PowerShell scripts, Microsoft Intune remediations, Microsoft Defender insights, and Windows Autopatch reporting.
Microsoft has been learning alongside you and turning those lessons into resources that you can use.
Keep going; you’re on the right path
If you’re an IT administrator still deploying Secure Boot certificate updates, you’re not alone. Organizations and individuals are progressing at different speeds, based on their environments and requirements. This flexibility is intentional.
What we’ve seen consistently is that success comes from staying the course:
- Keep your devices up to date with the latest Windows updates.
- Check that the latest firmware version is installed. You can visit your OEM’s support page or use their official support channels.
- Continue with your phased rollout. Gradual deployment of certificates, boot managers, and updated OEM firmware, along with validation, remains the most reliable approach.
- Use the tools available to you. Whether built into Windows, such as the Windows Security app, or designed for IT-managed environments, these tools help you monitor progress and make informed decisions.
Focus on progress over perfection. Each step forward strengthens your environment’s platform root of trust.
Devices with older certificates will continue to function and receive updates, giving you time to complete deployment. Completing this transition helps ensure that your devices stay current with evolving Secure Boot protections.
Resources to support your next steps
We’re nearly finished with rolling out automatic certificate updates to individual PCs and business devices. If you are still in the process of rolling out updates in your organization, these resources can help:
- Windows Secure Boot certificate expiration and CA updates
- Secure Boot playbook for certificates expiring in 2026
- Secure Boot playbook for Windows Server
- Secure Boot Certificate Updates for Windows 365
- Secure Boot Certificate Updates for Azure Virtual Desktop
- Secure Boot update: Trusted Launch VMs (TVM) and Confidential VMs (CVM)
In the coming weeks, there are also still opportunities to ask questions. Save the date for these upcoming events:
- July 1 – Windows Server Secure Boot AMA
- July 8 – Secure Boot Office Hours for virtualized environments
- July 15 – OEM Secure Boot Office Hours
Device owners using Windows Personal and Family accounts can use online support channels and phone numbers for additional help.
This has been a long and meaningful journey. Together, we have strengthened the platform root of trust that modern security depends on. Wherever you are in your certificates update process, you are contributing to that shared progress.
Quelle: Best practices for deploying Secure Boot certificate updates

by BlackRabbitZ