security certificates Archives

Winsage

March 12, 2026

Windows 10/11 Patch Day March: Microsoft delivers the big security update, but as usual, the real message is in the fine print

In March, Microsoft released cumulative security updates for Windows 10 and Windows 11, with support for certain versions continuing until March 2026. The updates include KB5079466 for Windows 11 version 26H1, KB5079473 for versions 24H2 and 25H2, KB5078883 for version 23H2, and KB5078885 for Windows 10 version 22H2. These updates will be distributed via Windows Update, the Microsoft Update Catalog, and WSUS for enterprise environments. This month, Microsoft combined the Servicing Stack Update (SSU) with the Latest Cumulative Update, simplifying the update process. Key enhancements include improvements to Secure Boot, with expanded device target data for new certificates, and security enhancements for Explorer’s search functionality in Windows 11 versions 24H2 and 25H2. A fix for Windows Defender Application Control (WDAC) was also implemented, addressing issues with COM objects under certain policy configurations. The Windows System Image Manager received a new warning dialog for confirming the trustworthiness of catalog files, which is important for enterprise environments. Updates for Windows 10 22H2, despite its end-of-life status, included fixes for secure boot issues and improvements for file version history in the Control Panel. An SSU for Windows 11 (KB5077869) was also released to maintain update stability. Microsoft's updates scheduled for March 2026 will address vulnerabilities in components like the Windows App Installer, SQL Server, and Microsoft Office. The Security Update Guide provides detailed information on specific vulnerabilities and affected components.

Winsage

February 13, 2026

Microsoft Introduces New Secure Boot Certificates Before June Deadline

The foundational security certificates supporting Windows Secure Boot, introduced in 2011, will expire in mid-2026, specifically in June and October. Microsoft and PC manufacturers are updating the Windows ecosystem to address this. Devices that do not receive updated certificates may face security limitations and compatibility issues with newer operating systems and hardware. The transition is described as a "generational refresh" of the trust infrastructure for Windows. Systems failing to update will still function but may enter a "degraded security state," unable to install new security mitigations or newer operating systems. Most users will receive updates automatically through Windows Update, while older systems may require manual intervention. Systems at risk include those running unsupported Windows versions, with Secure Boot disabled, or not enrolled in Extended Security Updates. Users should check their Secure Boot status using PowerShell commands to ensure they are using the new certificates. The update affects not only Windows PCs but also other devices utilizing UEFI Secure Boot.

Winsage

February 10, 2026

Microsoft is keeping Secure Boot alive with Windows updates

Microsoft is enhancing the security of Windows devices by replacing boot-level security certificates that are nearing expiration, with this initiative integrated into regular Windows platform updates. The original Secure Boot certificates from 2011 will expire between June and October 2026, prompting Microsoft to issue new certificates in 2023, which are included in many new Windows devices sold since 2024. Older hardware will require updates to remain compliant. Devices with expired certificates will continue to operate but will enter a "degraded security state," potentially hindering future updates and causing compatibility issues. The new Secure Boot certificates rollout began with the Windows 11 KB5074109 update. Most Windows 11 users will have the new certificates installed automatically, while specialized systems may have different update protocols. Windows 10 users must enroll in Microsoft’s Extended Security Updates to receive the new certificates.

Winsage

January 13, 2026

New Windows updates replace expiring Secure Boot certificates

Microsoft is enhancing security for Windows 11 24H2 and 25H2 users by automatically replacing expiring Secure Boot certificates on eligible devices. Secure Boot protects against malicious software by ensuring only trusted bootloaders are executed during startup. Many Secure Boot certificates are set to expire starting in June 2026, which could jeopardize secure booting capabilities if not updated. The update includes a mechanism to identify devices eligible for automatic receipt of new Secure Boot certificates. IT administrators are advised to install the new certificates to maintain Secure Boot functionality and prevent loss of security updates. Organizations can also deploy Secure Boot certificates through various methods. IT administrators should inventory their devices, verify Secure Boot status, and apply necessary firmware updates before installing Microsoft's certificate updates.

Winsage

July 16, 2025

Windows Secure Boot Certificate Expired in June, Microsoft Issues Warning

Microsoft has announced that Secure Boot certificates for Windows devices will begin to expire in June 2026, which may affect device functionality and security. An out-of-band update (KB5064489) was released on July 13, 2025, to address immediate security concerns and prepare systems for the certificate transition. This update includes essential quality improvements and fixes issues related to the startup of certain Azure Virtual Machines when Virtualization-Based Security (VBS) is enabled. The update is cumulative and incorporates previous security fixes. Users are advised to install the update promptly and review guidance for updating their certificates before the expiration deadline.