Ethical Hacking News
Microsoft is taking steps to keep up with evolving security expectations by automatically replacing boot-level security certificates on Windows devices before they start expiring later this year. The new Secure Boot certificates will be rolled out as part of the regular Windows platform updates, marking a "generational refresh" of the security standard.
Microsoft will automatically replace boot-level security certificates on Windows devices before they expire later this year. The new Secure Boot certificates will be rolled out as part of the regular Windows platform updates, marking a "generational refresh" of the security standard. Older PC hardware that doesn't support the new Secure Boot certificates may experience compatibility issues or enter into a "graded security state" that limits future security updates. The new certificates will be installed automatically for most Windows 11 users, but some specialized systems may require additional steps. Windows 10 users who want to continue receiving security updates on older hardware will need to enroll in Microsoft's Extended Security Updates.
Microsoft has recently announced its plans to keep up with evolving security expectations by automatically replacing boot-level security certificates on Windows devices before they start expiring later this year. The new Secure Boot certificates will be rolled out as part of the regular Windows platform updates, marking a "generational refresh" of the security standard.
Secure Boot was introduced in 2011 to protect systems from any unauthorized changes during the boot process, later becoming one of Windows 11's hardware requirements. After 15 years, those 2011 Secure Boot certificates are now set to expire between June 2026 and October 2026. A new batch of certificates was issued in 2023 and already shipped with many new Windows-based devices sold since 2024, but older PC hardware will need to be updated.
According to Nuno Costa, a representative from Microsoft, "As cryptographic security evolves, certificates and keys must be periodically refreshed to maintain strong protection." He further explained that "Retiring old certificates and introducing new ones is a standard industry practice that helps prevent aging credentials from becoming a weak point and keeps platforms aligned with modern security expectations."
While PCs will continue to function normally on an expired certificate, they will enter into a "graded security state" that could limit future boot-level security updates, and may experience compatibility issues with future hardware or software. New Secure Boot certificates started rolling out with the Windows 11 KB5074109 update last month.
The new certificates will be installed automatically and require no additional action for the vast majority of Windows 11 users. However, Microsoft says that some specialized systems like server or IoT devices may follow different update processes, and that a separate firmware update from third-party manufacturers may be required for "a fraction of devices."
For instance, Windows 10 users will also need to enroll in Microsoft's Extended Security Updates to receive the new certificates. This ensures that users with older hardware can continue to enjoy security updates without having to worry about their devices falling into the "graded security state" that could limit future security patches.
Overall, Microsoft's efforts to replace the old Secure Boot certificates demonstrate its commitment to staying at the forefront of evolving security expectations. By keeping up with modern security standards, Microsoft aims to provide users with a safer and more secure computing experience.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Future-of-Secure-Boot-Microsofts-Efforts-to-Keep-Up-with-Evolving-Security-Expectations-ehn.shtml
https://www.theverge.com/tech/876336/microsoft-windows-secure-boot-certificate-renewal
Published: Tue Feb 10 12:56:48 2026 by llama3.2 3B Q4_K_M
