Microsoft Issues Warning on Expired Windows Secure Boot Certificate

Microsoft has issued an urgent warning to Windows users about upcoming Secure Boot certificate expirations that could significantly impact device security and functionality.

The company released an out-of-band update on July 13, 2025, addressing immediate technical issues while highlighting a critical timeline for certificate updates that organizations and individual users must address to maintain secure boot capabilities.

Microsoft has announced that Secure Boot certificates used by most Windows devices are scheduled to expire starting in June 2026, potentially affecting the ability of personal and business devices to boot securely if not updated in advance.

The company emphasizes that this expiration could cause significant disruption to device functionality, particularly for organizations relying on secure boot mechanisms for enhanced security protocols.

The tech giant strongly recommends that users and IT administrators review the guidance and take proactive steps to update certificates well before the expiration date.

Microsoft has provided detailed preparation steps and guidance documentation to help users navigate the certificate update process, recognizing that the complexity of this task may require advance planning and coordination, especially in enterprise environments.

The warning comes as part of Microsoft’s broader effort to maintain security standards while ensuring minimal disruption to users’ daily operations.

The company has indicated that failure to update these certificates in time could result in devices being unable to boot securely, potentially leaving systems vulnerable or inaccessible.

Azure Virtual Machine Issues

The July 13, 2025 out-of-band update KB5064489 for OS Build 26100.4656 includes several quality improvements and cumulative security fixes from the previous July 8, 2025 security update.

Most notably, the update specifically addresses a critical issue affecting Azure Virtual Machines with Trusted Launch disabled.

The fix resolves a problem that prevented some virtual machines from starting when Virtualization-Based Security (VBS) was enabled.

This issue particularly affected VMs using version 8.0, a non-default version where VBS was offered by the host.

In Azure environments, this problem specifically impacted standard General Enterprise (GE) VMs running on older VM SKUs, caused by a secure kernel initialization issue.

Additionally, the update includes Windows 11 servicing stack update KB5063666-26100.4651, which makes quality improvements to the servicing stack component responsible for installing Windows updates.

This ensures users have a robust and reliable servicing stack for receiving and installing future Microsoft updates.

Installation Methods

Microsoft has made the update available through multiple distribution channels to ensure broad accessibility.

Users can obtain the update through Windows Update, Business Catalog, and Server Update Services, providing flexibility for different organizational needs and preferences.

The company has combined the latest servicing stack update with the latest cumulative update, following their standard practice for distributing comprehensive updates.

For organizations that may need to remove the update after installation, Microsoft provides specific instructions using the DISM/Remove-Package command line option with the LCU package name as the argument.

However, Microsoft warns that running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch will not work on the combined package because it contains the servicing stack update, which cannot be removed from the system after installation.

Currently, Microsoft reports no known issues with this update, suggesting a stable release for immediate deployment.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.