Microsoft Rolls Out Secure Boot Certificate Updates for Windows 11

Microsoft rolled out two major Patch Tuesday updates, KB5074109 and KB5073455, bringing a wide set of improvements to Windows. One of the most significant changes targets Secure Boot, a core security feature that protects systems during startup.

Secure Boot certificate replacement rolls out via Windows Update

As BleepingComputer reports, Microsoft has started automatically replacing expiring Secure Boot certificates on eligible Windows 11 24H2 and 25H2 devices through Windows Update.

Secure Boot uses UEFI firmware to block unauthorized or malicious software from loading at startup. It verifies boot components against trusted digital certificates before the operating system launches.

Microsoft’s current Secure Boot certificates will begin expiring in June 2026. Without updated certificates, affected devices could lose Secure Boot protection and risk disruptions to future security updates that rely on pre-boot integrity checks.

Enterprises urged to update early as security requirements increase

According to the KB5074109 release notes, Microsoft deploys the new certificates in phases. The company prioritizes devices that show “sufficient successful update signals” to reduce the risk of widespread issues.

Microsoft advises IT administrators to install the updated certificates well before the 2026 expiration window. Organizations can rely on Windows Update for automatic delivery or deploy the certificates manually using registry keys, Windows Configuration System (WinCS), or Group Policy.

Checking Secure Boot status remains critical, as expired certificates weaken early-boot security and may allow untrusted code to run before Windows loads.

Beyond Windows 11, Microsoft has also released KB5073724 for Windows 10 under the Extended Security Updates program. As Microsoft continues to harden the Windows security stack, future updates may become more demanding as new protections extend deeper into firmware and startup processes.