Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem
7 91Microsoft has begun automatically replacing the original Secure Boot security certificates on Windows devices through regular monthly updates, a necessary move given that the 15-year-old certificates first issued in 2011 are set to expire between late June and October 2026.
Secure Boot, which verifies that only trusted and digitally signed software runs before Windows loads, became a hardware requirement for Windows 11. A new batch of certificates was issued in 2023 and already ships on most PCs built since 2024; nearly all devices shipped in 2025 include them by default. Older hardware is now receiving the updated certificates through Windows Update, starting last month's KB5074109 release for Windows 11. Devices that don't receive the new certificates before expiration will still function but enter what Microsoft calls a "degraded security state," unable to receive future boot-level protections and potentially facing compatibility issues down the line.
Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates. A small number of devices may also need a separate firmware update from their manufacturer before the Windows-delivered certificates can be applied.
7 comments
Re:certificates expiring..... (Score: 5, Insightful)
by Dishevel ( 1105119 ) on Tuesday February 10, 2026 @01:57PM (#65980556)
Because it is really invasive and has an ability to brick systems and the people responsible for doing it are low wage idiots and AI, overseen by Microsoft a company that has screwed up more than anyone thought possible. ...
I mean, maybe it will go fine, but it is current year Microsoft and
Re:certificates expiring..... (Score: 5, Informative)
by haruchai ( 17472 ) on Tuesday February 10, 2026 @03:13PM (#65980864)
for a very large number of Windows users that's a distinction without a difference
Why not have people make their own keys? (Score: 5, Insightful)
by Murdoch5 ( 1563847 ) on Tuesday February 10, 2026 @01:13PM (#65980458)
Secure boot is functionally useless if you're not using custom keys, what Microsoft should do is walk the user through the enrolment of custom keys, and discontinue their secure keys. The entire point of secure boot is that you sign the components with your source of truth. Microsoft holding keys for your boot environment means they control the source of the truth, which mean it's not true, and not a safe source. I understand this would be complex, and could be confusing, but it's essential.
This is another example of absolute trust, instead of zero trust, something Microsoft seems to get wrong constantly.
Re:Why not have people make their own keys? (Score: 5, Insightful)
by Valgrus Thunderaxe ( 8769977 ) on Tuesday February 10, 2026 @01:31PM (#65980506)
That would make it more cumbersome for the police to break into your computer.
Disable secure boot? (Score: 5, Insightful)
by sinij ( 911942 ) on Tuesday February 10, 2026 @01:24PM (#65980488)
I have MS own laptop, which was gifted to me, and it allows me to disable secure boot in BIOS settings. It gives me angry red banner with unlocked lock, but other than that it does not prevent booting. Is that not an option on most hardware?
Bullshit (Score: 5, Insightful)
by quonset ( 4839537 ) on Tuesday February 10, 2026 @01:29PM (#65980500)
Windows 10 users must enroll in Microsoft's paid Extended Security Updates program to get the new certificates.
Microsoft should be required to provide a certificate without any restriction. How many tens of millions of computers still run W10? Forcing people to enroll in something just to get a required update should be an automatic penalty.
Handy reminder! (Score: 5, Funny)
by zmollusc ( 763634 ) on Tuesday February 10, 2026 @02:28PM (#65980652)
That reminds me that I need to check the security system on my henhouse which ensures that _only_ foxes, and no other predator has 24h access.