Microsoft is keeping Secure Boot alive with Windows updates

· Source: The Verge · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Internet of Things (IoT) & Connected Devices · Depth: Fundamental Awareness, quick

Summary

Microsoft is automatically updating Secure Boot certificates on Windows devices to prevent expiration later this year, a "generational refresh" of the security standard. Introduced in 2011, Secure Boot protects systems from unauthorized boot-time changes and is a Windows 11 hardware requirement. The original 2011 certificates are set to expire between June and October 2026. While new devices sold since 2024 already ship with 2023 certificates, older PCs require updates. Microsoft emphasizes that periodic certificate refreshes are standard industry practice to maintain strong cryptographic security. Although PCs will function with expired certificates, they will enter a "degraded security state," potentially limiting future updates and causing compatibility issues. The new certificates began rolling out with the Windows 11 KB5074109 update last month.

Key takeaway

For CTOs managing Windows fleets, ensure your update policies are configured to automatically deploy the latest Windows platform updates, specifically KB5074109 and subsequent releases. This proactive measure prevents devices from entering a "degraded security state" due to expired Secure Boot certificates, safeguarding against future compatibility issues and maintaining robust boot-level security across your organization's hardware. Pay special attention to specialized systems like servers or IoT devices, as they may require different update processes or third-party firmware updates.

Key insights

Microsoft is proactively refreshing Secure Boot certificates to maintain system integrity and prevent security degradation.

Principles

Method

Microsoft is deploying new Secure Boot certificates via regular Windows platform updates, with most users receiving them automatically, though some specialized systems or older hardware may require additional firmware updates.

In practice

Topics

Best for: CTO, IT Professional, Tech Journalist, General Interest

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Verge.