Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem

Source: Slashdot

Overview

Microsoft has begun automatically replacing the original Secure Boot security certificates on Windows devices through regular monthly updates. The 15‑year‑old certificates, first issued in 2011, are set to expire between late June and October 2026.

Secure Boot Background

Secure Boot verifies that only trusted and digitally signed software runs before Windows loads. It became a hardware requirement for Windows 11.

Certificate Replacement Process

• A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024.
• Nearly all devices shipped in 2025 include the new certificates by default.
• Older hardware receives the updated certificates via Windows Update, starting with last month’s KB5074109 release for Windows 11.

Impact on Devices

• Devices that do not receive the new certificates before expiration will still function but will enter a “degraded security state.”
• In this state, devices cannot receive future boot‑level protections and may face compatibility issues down the line.

Windows 10 Considerations

• Windows 10 users must enroll in Microsoft’s paid Extended Security Updates (ESU) program to obtain the new certificates.
• Some devices may also require a separate firmware update from the manufacturer before the Windows‑delivered certificates can be applied.