Microsoft is taking proactive measures to enhance the security of Windows devices by replacing boot-level security certificates that are nearing expiration. This initiative, announced in a recent blog post, will be integrated into the regular Windows platform updates, heralding what the company describes as a “generational refresh” of its security standards.
Secure Boot, a feature introduced in 2011, was designed to safeguard systems against unauthorized modifications during the boot process. It has since become a fundamental requirement for Windows 11 systems. As the original Secure Boot certificates from 2011 approach their expiration date—set between June and October 2026—Microsoft has already issued a new set of certificates in 2023, which are now included in many new Windows devices sold since 2024. However, older hardware will require updates to stay compliant.
According to Nuno Costa from Microsoft, “As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection.” He emphasized that retiring outdated certificates and introducing new ones is a standard practice in the industry, aimed at preventing aging credentials from becoming vulnerabilities and ensuring that platforms meet contemporary security expectations.
While devices with expired certificates will continue to operate, they will enter a “degraded security state.” This could hinder future boot-level security updates and may lead to compatibility issues with upcoming hardware or software. The rollout of the new Secure Boot certificates began with the Windows 11 KB5074109 update last month.
The installation of these new certificates will occur automatically for most Windows 11 users, requiring no additional steps. However, specialized systems, such as servers or IoT devices, may have different update protocols, and some devices might need a separate firmware update from third-party manufacturers. Users are encouraged to consult their OEM support pages for specific guidance. Additionally, Windows 10 users must enroll in Microsoft’s Extended Security Updates to receive the new certificates.
