Windows Server Secure Boot for certificates expiring in 2026
Posted by Rascalvin@reddit | sysadmin | View on Reddit | 21 comments
Hi all
Is this something you care about?
If so, how do handle it? Mildly panic or hope it will go solve itself or??
Do you automate the update?
https://techcommunity.microsoft.com/blog/windowsservernewsandbestpractices/windows-server-secure-boot-playbook-for-certificates-expiring-in-2026/4495789/replies/4496690
BlockBannington@reddit
Here I am, trying to figure out what the fuck we need to do for servers for over two months but apparently everyone in this sub reads other articles than I do. 'search the sub' they say. 'you have to do something' they say.
Why the fuck is this such a secretive thing? Why is nobody pointing anybody in the right direction when it comes god secure boot, not even Microsoft? Is Big Cert behind this?
DeifniteProfessional@reddit
Make sure your server UEFI firmware is up to date, then wait for Microsoft to push the last minute updates that probably give your servers the right new certs, or so it seems
RunForYourTools23@reddit
Dell environment here managed by SCCM and Co-Managed with Intune. Get all minimimum BIOS versions that include the new certificate. Check which models are supported or not, those supported deploy at least the minimum version (or latest) so the DefaultDB can be updates (we use Dell Command Update with policies). Then apply Intune Secure Boot policy to force the certificates to be installed through Cumulative Update/Windows Update. This will update the ActiveDB. For unsupported devices you will not be able to update the DefaultDB as Dell does not provide a BIOS update for unsupported models, so just keep them with the latest BIOS version and deploy the Secure Boot policies so the ActiveDB can be updates. The con for those is, if someone clear the Secure Boot keys in the UEFI settings, then it will revert back to old certificate and booting could be an issue, but just disable Secure Boot, install OS then enable Secure Boot again and update ActiveDB.
Alternate option: Update all BIOS and put all devices in Optin a let Microsoft control the certificates installation with Cumulative Updates.
InternetStranger4You@reddit
Do a quick search in this subreddit. There are LOTS of threads on this. This is something you need to take care of before the date otherwise you will have problems down the road.
margaritapracatan@reddit
The problem won’t be ‘down the road’, it will be immediate. But, the device(s) will continue to operate, just more susceptible to rootkit attacks.
Select-Cycle8084@reddit
When is the date?
Rascalvin@reddit (OP)
I think it is June 26th
Hobbit_Hardcase@reddit
We turned on the Reg keys with an Intune config and then set Dell Command Update to run weekly. We're 90% there now.
man__i__love__frogs@reddit
That doesn't apply to servers.
Made_UpWords@reddit
Correct, so just, like, update them with iDRAC or whatever? Whatever it is you guys are doing over there? lmfao
No Dell Command:Update doesn't work on servers, we get it, so just figure it out? lmfao
CSHawkeye81@reddit
Which config settings did you use might I ask? We are using DCU to get drivers/bioses updated on our fleet the next 2-3 weeks.
Woodtoad@reddit
I'm half asleep here so can't be bothered to search, sorry - this applies to VMs as well or physical servers running Windows Server only?
eater_of_spaetzle@reddit
Both.
wrootlt@reddit
I have brought this up to my team and manager a few times already. But they don't care, because "it will still boot, right?". And they are too busy dealing with RC4 thing. I have spent some time reading about settings and registries and GPO and watched latest AMA (it is more about desktops than servers, but still has some useful tips). Currently i am thinking about finding a way to do inventory (it is complicated as it is a big company with siloed tools and also an MSP on a side), to see how big of an impact it will have. But i usually don't have time for this side activity as i have other stuff on my hands (dealing with tickets and customers).
HJForsythe@reddit
Wait until it starts updating every 47 days.
mixduptransistor@reddit
These aren’t those certs
HJForsythe@reddit
That was the joke.
mixduptransistor@reddit
Sarcasm is dead on the internet. I've had more than one conversation in this sub where people were complaining their code signing or other non-web-related certs were going to be ruined by the new browser time limits
HJForsythe@reddit
Yeah I mean the 47 day thing is also objectively ridiculous and pointless.
PinkLuther@reddit
Easy on the surface, until my team realized we have over 50 models (20k+ endpoints in total) on which we must first upgrade the BIOS, on most we can do it remotely, some will require manual intervention, some need replacements... And all of this has to be done before the registry opt-in.... And we don't even know what exactly will happen if we don't get it done on time.
awnful24x7@reddit
use the search function