Microsoft’s Continued Commitment to Ensuring Secure Boot with Ongoing Windows Updates

Microsoft has announced that it will automatically replace boot-level security certificates on Windows devices before they begin to expire later this year. This move is part of the regular Windows platform updates and signifies a “generational refresh” of the security standard.

Secure Boot, introduced in 2011 to safeguard systems from unauthorized changes during the boot process, has become a hardware requirement for Windows 11. The original 2011 Secure Boot certificates are set to expire between June 2026 and October 2026 after 15 years. New certificates issued in 2023 have already been integrated into many new Windows-based devices sold since 2024, but older PC hardware will require updates.

Nuno Costa from Microsoft emphasized the necessity of periodically refreshing certificates and keys to uphold strong protection as cryptographic security advances. Retiring old certificates and introducing new ones is an industry standard practice to prevent outdated credentials from becoming vulnerabilities and to align platforms with modern security expectations.

While PCs will still function normally on an expired certificate, they will enter a “degraded security state” that may restrict future boot-level security updates and lead to compatibility issues with upcoming hardware or software. The recent Windows 11 KB5074109 update has begun rolling out the new Secure Boot certificates.

The installation of the new certificates will be automated and require no additional action for most Windows 11 users. Microsoft notes that specialized systems like servers or IoT devices may have different update procedures, and some devices may need a firmware update from third-party manufacturers. Windows 10 users must enroll in Microsoft’s Extended Security Updates to receive the new certificates.