Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Managing Secure Boot Certificate Expiration with NinjaOne

NinjaOne
05/31/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Welcome to Ninja101, where today we're looking at how to manage the Secure Boot Certificate expiration that Microsoft has scheduled for June 2026. Before we dive in, a quick bit of background. Secure Boot is a UEFI feature that validates the signatures of pre-boot software before allowing it to run. Microsoft has three certificates underpinning this trust chain that are all expiring this year. The KEK CA-2011 and the UEFI CA-2011 begin expiring in June 2026, and the Windows Production PCA-2011, which signs the Windows bootloader itself, expires in October 2026. Devices that miss these updates won't stop booting, and standard Windows updates will continue to install, but they will lose the ability to receive new Secure Boot security protections for the early boot process. NinjaOne can help you monitor and manage that rotation across your entire fleet. Let's start in NinjaOne by creating the custom fields that will display the script's output. Go to Administration, Devices, Custom Fields, and let's create two custom fields. The first is a WYSIWYG field, or what you see is what you get. We're going to name this field Secure Boot Cert Status Card. Let's go to the Automation Permissions on the left and make sure that it has Read Write from Automations, but is Read Only to Technicians. And then under Advanced on the left-hand side, make sure to check the box to Always Expand. We're going to create a second custom field. This field will be a text field, and this is going to hold the one-line plain text summary. Go ahead and name this field Secure Boot Cert Status. And then under the Automation Permissions, give it the same permissions as above, with Read Write permissions for Automations, and Read Only for Technicians. Now that we've created the fields, we can go to the Roles menu. Hover over Windows Systems and then click the ellipsis on the right, select Edit, and then click Manage Tabs in the top right. We're going to create a new tab called Secure Boot, close this modal, then switch to the newly created tab, and add in the two custom fields we created earlier. Now we're ready to import the script. Navigate to Administration, Library, Automation, and then click the Add Automation button. This script is from the NinjaOne community, and I've linked it in the description below. Go ahead and copy and then paste it into the code box. Once you import the script, there are a few script variables that I am creating here. In the interest of time, that information is located in the GitHub link in the YouTube description. We're going to walk through this on a live device. Execute the script with Secure Boot Action set to Audit, and Enforce SVN Compliance set to Passive. This is a fully read-only run, so nothing is changed on the actual device. After the script completes, open the device and navigate to the Secure Boot custom field tab, and you'll see the status card populated with a detailed breakdown. Now that I know the state of my devices, I can start taking action. For most devices in managed environments, the quickest path is to enable the Windows Update opt-in so Microsoft's update process can push the new certificates automatically. Rerun the script with Secure Boot Action set to Enable Opt-in. This configures the machine's opt-in registry keys, sets the required telemetry level, and triggers the Schedule task. If the device is already opted in or already compliant, the script notes that no change was needed. We'll want to automate the script so that it keeps the custom fields current, so I'm going to create a task, name that task, schedule it, and configure the script to run every week in Audit mode. This way, as devices complete their rotation or encounter problems, you'll see it reflected in Ninja 1. Now that our custom field updates every week, we can report on devices that need attention. I'll navigate to Reporting and create a new summary report with a blank template. I can customize this report to add a data table, filter only to Windows devices, and then customize the columns so that the Secure Boot Cert Status custom field is present, along with data on the Make, Model, and Warranty information of the devices. We can also get a similar view by going to Devices and adding in the column for Secure Boot Cert Status, then filtering for Windows devices, and then for the Secure Boot Cert Status custom field where the value does not contain Compliant. And this is a broad catch-all for any device that hasn't completely finished the process. Let's look at some real-world examples. This first device is a laptop where the status card shows all three certificate updates, the UEFI CA-2023, KEK-2023, and Boot Manager, are marked as updated. We're just waiting for Windows Update to finalize the rotation. But on this second device, the status card shows the UEFI CA-2023 certificate is still missing, and a firmware update may be required to update the certificate. Last week I made a video on how NinjaOne can help manage firmware updates on Dell workstations, and this is exactly why that matters. For the 2023 certificates to be written into the UEFI Secure Boot Database, the device firmware first needs to support the injection. This is an older Dell machine that's no longer receiving any firmware updates from the manufacturer, which means that there's no path to get the new certificates onto it. The device will still boot after June 2026, and regular Windows updates will keep installing. But because the firmware can accept the replacement certificates, it will be permanently unable to receive new Secure Boot Security updates moving forward. I've linked the NinjaOne Community Script below. A very, very big thank you to Sam Kay, who is the creator of this script. Really appreciate you sharing all of your knowledge. If you have any questions, please leave a comment. Take care.

TL;DR

  • Microsoft's three critical Secure Boot certificates expire in June and October 2026, requiring proactive certificate rotation to maintain security protections for the early boot process.
  • NinjaOne's community script automates certificate status auditing, Windows Update opt-in configuration, and ongoing compliance monitoring across device fleets through custom fields and scheduled tasks.
  • Older devices without firmware support for 2023 certificate injection will continue booting but permanently lose the ability to receive new Secure Boot security updates, requiring hardware refresh planning.

Understanding the Secure Boot Certificate Challenge

Microsoft has scheduled the expiration of three critical certificates in the UEFI Secure Boot trust chain for 2026. The KEK CA-2011 and UEFI CA-2011 certificates expire in June 2026, while the Windows Production PCA-2011 certificate expires in October 2026. While devices won't stop booting after these expirations and standard Windows updates will continue, they will lose the ability to receive new Secure Boot security protections for the early boot process. This creates a significant security gap for organizations managing large device fleets, particularly for older hardware that may not support the certificate injection required for the 2023 replacement certificates.

Implementing Automated Monitoring and Remediation

NinjaOne addresses this challenge through a community-developed script that automates certificate status monitoring and remediation across entire device fleets. The solution involves creating custom fields to display certificate status, importing and configuring the audit script, and establishing automated weekly reporting to track compliance. The script can run in audit mode for read-only assessment or in active mode to enable Windows Update opt-in, configure registry keys, set telemetry levels, and trigger scheduled tasks. Organizations can create filtered reports to identify non-compliant devices and prioritize remediation efforts based on device make, model, and warranty status. The approach provides visibility into which devices require firmware updates to support the new certificates and which legacy devices may be permanently unable to receive future Secure Boot security updates due to manufacturer end-of-support.

Chapters

0:00 - Secure Boot Certificate Expiration Overview
1:10 - Creating Custom Fields in NinjaOne
2:10 - Assigning Custom Fields to Device Roles
2:37 - Importing the Community Script
3:06 - Running the Script and Viewing Results
5:15 - Real-World Examples and Firmware Considerations

Key Quotes

0:53 "Devices that miss these updates won't stop booting, and standard Windows updates will continue to install, but they will lose the ability to receive new Secure Boot security protections for the early boot process."
3:16 "This is a fully read-only run, so nothing is changed on the actual device."
5:53 "For the 2023 certificates to be written into the UEFI Secure Boot Database, the device firmware first needs to support the injection."
6:11 "The device will still boot after June 2026, and regular Windows updates will keep installing. But because the firmware can accept the replacement certificates, it will be permanently unable to receive new Secure Boot Security updates moving forward."

Categories:
  • » Cybersecurity » Endpoint Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Endpoint Management
  • Security Operations
  • Compliance & Governance
  • How-To
  • Technical Deep Dive
  • UEFI Secure Boot
  • Certificate Management
  • Windows Security
  • Firmware Updates
  • Compliance Monitoring
  • Automation Scripts
  • Device Lifecycle Management
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Managing Secure Boot Certificate Expiration with NinjaOne

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    22

                    Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                    07/22/202601:00 PM ET
                    • Aug
                      19

                      Becoming Agent Ready: Insights from Cyera's Expertise

                      08/19/202612:00 PM ET
                      More events

                      Upcoming Webinar Calendar

                      • 07/21/2026
                        04:00 AM
                        07/21/2026
                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                        https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                      • 07/22/2026
                        06:30 AM
                        07/22/2026
                        Insights and Strategies in Data Protection and Privacy Management
                        https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
                      • 07/22/2026
                        01:00 PM
                        07/22/2026
                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                        https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                      • 07/28/2026
                        01:00 PM
                        07/28/2026
                        Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                        https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                      • 07/29/2026
                        04:00 AM
                        07/29/2026
                        Real-Time Strategies for Safeguarding Against Prompt Injections
                        https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                      • 07/29/2026
                        01:00 PM
                        07/29/2026
                        Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                        https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                      • 08/19/2026
                        12:00 PM
                        08/19/2026
                        Becoming Agent Ready: Insights from Cyera's Expertise
                        https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                      • 09/02/2026
                        12:00 PM
                        09/02/2026
                        Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                        https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                      • 09/30/2026
                        04:00 AM
                        09/30/2026
                        AI Command Center: Optimizing Visibility and Control in Your Operations
                        https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                      Truth in IT
                      • Sponsor
                      • About Us
                      • Terms of Service
                      • Privacy Policy
                      • Contact Us
                      • Preference Management
                      Desktop version
                      Standard version