The Secure Boot certificate refresh is underway as old certificates expire; devices that don’t update risk degraded security and potential compatibility issues with future updates or hardware.

Microsoft is issuing new Secure Boot certificates (the 2023 batch) to replace the aging 15-year certificates that expire in June 2026, with automatic rollout starting via the Windows 11 KB5074109 update for most users.

The new certificates are already shipping with many devices sold since 2024, while older PC hardware will require firmware or driver updates from manufacturers to receive them.

Coverage and discussion around Windows security continue on Windows Central, inviting reader comments and engagement.

Experts, including a Microsoft Windows servicing director, emphasize that the change is routine, security-focused, and part of standard maintenance.

IT customers have been alerted to the transition, with guidance published in Microsoft blog posts and security playbooks.

Enterprise stakeholders are expected to weigh in on Microsoft's deployment decisions, with questions about how Microsoft will respond in the coming months.

Microsoft urges users to stay on a supported Windows version to receive updates, maintain performance, and keep protections against vulnerabilities.

The current text includes sponsor mentions and promotional material, rather than a deep technical report on the certificate replacement.

Outlets describe this as a generational refresh of the boot trust chain, delivered through standard Windows servicing for supported devices.

Managed fleets are advised to plan inventory, monitoring, and deployment strategies using Intune, Group Policy, and registry methods ahead of the June 2026 deadline.

Secure Boot is a UEFI feature that validates bootloaders via trusted signatures, is enabled by default on modern PCs, and is a hardware requirement for Windows 11.