Microsoft Begins the First-Ever Secure Boot Certificate Swap Across Windows Ecosystem

Microsoft has officially kicked off a critical behind-the-scenes update that could affect millions of Windows PCs worldwide—the automatic replacement of Secure Boot’s original security certificates through routine Windows Update patches. The move comes as the 15-year-old certificates, first issued back in 2011, approach their expiration window between late June and October 2026.

For those unfamiliar, Secure Boot is a foundational security feature baked into modern PCs that ensures only trusted, digitally signed software can run before the operating system loads. It’s been a mandatory hardware requirement for Windows 11 since its launch, acting as a digital gatekeeper against boot-level malware and unauthorized firmware modifications.

The new certificates were issued in 2023, and most PCs manufactured since 2024 have been shipping with them pre-installed. Nearly all devices built in 2025 already include the updated certificates by default. However, older hardware still running the original certificates will now receive them automatically via Windows Update, starting with last month’s KB5074109 update for Windows 11 users.

Microsoft’s approach is both proactive and necessary. If devices don’t receive the updated certificates before the originals expire, they’ll continue to function—but enter what the company describes as a “degraded security state.” In practical terms, this means future boot-level security protections won’t be applied, and users could face compatibility issues with newer software and firmware updates that rely on the updated trust chain.

Windows 10 users face a different reality. Because Windows 10 is in its extended support phase, only those enrolled in Microsoft’s paid Extended Security Updates (ESU) program will receive the new Secure Boot certificates. This creates a potential security gap for users still on Windows 10 who haven’t opted into the paid program, leaving their systems vulnerable to the degraded state once the certificates expire.

There’s also a hardware wrinkle to consider. A small subset of devices may require a separate firmware update from their manufacturer before the Windows-delivered certificates can be properly applied. This means some users might need to check with their PC maker for additional steps beyond the automatic Windows Update process.

The certificate rotation is part of a broader industry effort to maintain the integrity of the Secure Boot trust chain. Microsoft has been working with hardware partners and the wider tech ecosystem to ensure a smooth transition, minimizing disruption while maximizing security for the majority of users.

For most people, the update will happen silently in the background, requiring no action. But for IT administrators, device manufacturers, and security-conscious users, it’s a reminder of the invisible yet critical infrastructure that keeps modern computing secure. As the June-October 2026 deadline approaches, expect more communications from Microsoft and PC makers about ensuring all devices are properly updated.

In the meantime, Windows users are advised to keep their systems updated with the latest Windows Update releases to ensure they receive the new Secure Boot certificates automatically. For those on older hardware or Windows 10 without ESU, now might be the time to consider upgrading to avoid potential security and compatibility headaches down the line.

Secure Boot certificate update
Windows security patch 2026
Microsoft automatic certificate replacement
Windows 11 Secure Boot requirement
Windows 10 ESU Secure Boot
PC hardware security expiration
Firmware update Secure Boot
Boot-level malware protection
Windows Update KB5074109
Digital certificate trust chain
Microsoft security infrastructure
PC compatibility issues 2026
Extended Security Updates Windows
Hardware manufacturer firmware update
Cybersecurity certificate expiration
Windows device security state
Microsoft industry collaboration security
Pre-boot authentication Windows
Trusted boot process Windows
Secure Boot degraded state
Windows 11 hardware requirements
Certificate rotation 2026
Microsoft security best practices
PC manufacturer support Secure Boot,