Microsoft is keeping Secure Boot alive with Windows updates
Summary
Microsoft is automatically updating Secure Boot certificates on Windows devices to prevent expiration later this year, a "generational refresh" of the security standard. Introduced in 2011, Secure Boot protects systems from unauthorized boot-time changes and is a Windows 11 hardware requirement. The original 2011 certificates are set to expire between June and October 2026. While new devices sold since 2024 already ship with 2023 certificates, older PCs require updates. Microsoft emphasizes that periodic certificate refreshes are standard industry practice to maintain strong cryptographic security. Although PCs will function with expired certificates, they will enter a "degraded security state," potentially limiting future updates and causing compatibility issues. The new certificates began rolling out with the Windows 11 KB5074109 update last month.
Key takeaway
For CTOs managing Windows fleets, ensure your update policies are configured to automatically deploy the latest Windows platform updates, specifically KB5074109 and subsequent releases. This proactive measure prevents devices from entering a "degraded security state" due to expired Secure Boot certificates, safeguarding against future compatibility issues and maintaining robust boot-level security across your organization's hardware. Pay special attention to specialized systems like servers or IoT devices, as they may require different update processes or third-party firmware updates.
Key insights
Microsoft is proactively refreshing Secure Boot certificates to maintain system integrity and prevent security degradation.
Principles
- Periodic certificate refresh is standard.
- Expired certificates degrade security state.
Method
Microsoft is deploying new Secure Boot certificates via regular Windows platform updates, with most users receiving them automatically, though some specialized systems or older hardware may require additional firmware updates.
In practice
- Check for Windows 11 KB5074109 update.
- Verify firmware updates for older hardware.
Topics
- Secure Boot
- Windows Security
- Cryptographic Certificates
- System Updates
- Hardware Security
Best for: CTO, IT Professional, Tech Journalist, General Interest
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by The Verge.