certificate updates

Microsoft’s February 10, 2026 ESU rollup, KB5075912, raises Windows 10 22H2 to Build 19045.6937 while quietly widening the platform-level work that will keep Secure Boot functional as Microsoft’s 2011 Secure Boot certificate authorities approach expiry later this year. The update is small on the...

Microsoft’s phased replacement of the aging Secure Boot certificate chain — the move from the 2011 trust anchors to the Windows UEFI CA 2023 family — is now visible in Event Viewer and Windows update notes, but you don’t need to panic. The logs many people see right now (TPM‑WMI entries such as...

Microsoft’s warning that the Secure Boot certificates issued during the Windows 8 era are being retired in 2026 is not a hypothetical maintenance note—it’s a scheduled refresh of the cryptographic trust anchors that run before Windows even starts, and it has meaningful operational and security...

Microsoft has issued a coordinated warning: the original Secure Boot certificates that have underpinned Windows platform integrity since 2011 are reaching the end of their lifecycle, and a deliberate, ecosystem-wide refresh is required before mid‑2026 to avoid a progressive loss of...

Microsoft and the PC ecosystem are executing a quiet—but urgent—“generational refresh” of the cryptographic anchors that protect the very first code your PC runs, replacing Secure Boot certificates issued in 2011 with a new 2023 certificate family so billions of Windows PCs can keep receiving...

Microsoft is rolling out a coordinated refresh of the Secure Boot certificates that have anchored Windows boot security since 2011, and if you run Windows on older hardware you should treat this as a time‑sensitive maintenance event: new 2023 certificate authorities will be injected through...

IT administrators now have practical, fleet-scale ways to check whether Windows devices are carrying the updated Secure Boot certificate chain and whether they’re ready to accept the upcoming Secure Boot updates — a crucial capability as Microsoft and OEMs rotate the platform’s cryptographic...

Microsoft’s February 10, 2026 cumulative updates for Windows 11 quietly carried more than routine security fixes — they continued a staged rollout that will refresh the operating system’s Secure Boot certificate chain ahead of a looming expiry window that begins in June 2026. What looks like a...

Microsoft and the PC industry have quietly opened a narrow but critical window to prevent a pre‑OS security gap this year: Windows will start rolling replacement Secure Boot certificates into device firmware via staged OS updates, while Microsoft is simultaneously intensifying its public push...

Microsoft’s management toolchain now surfaces Secure Boot readiness and certificate status inside Intune, giving IT teams a single-pane view and control points to manage the platform-level certificate rotation required before Microsoft’s legacy Secure Boot CAs begin to expire in 2026. This...

Microsoft’s January Patch Tuesday includes a high-priority update that refreshes expiring Secure Boot certificates on Windows devices — a preventative, must-install fix that closes a narrow but critical window attackers could use to install persistent bootkits before the OS loads. rview UEFI...

Microsoft’s Secure Boot certificate rollover is a single operational item that can break trust across your fleet if it is ignored — Intune offers a manageable path to deploy the replacement 2023 Secure Boot certificates, but it must be used deliberately: inventory first, pilot widely, coordinate...

Microsoft’s Secure Boot certificate refresh and the Intune “High Confidence Opt-Out” setting are now central pieces of enterprise patch planning: Microsoft is replacing the 2011 Secure Boot trust anchors with new 2023 certificates and offering multiple delivery paths — including an OS‑side...

Microsoft has warned that the Secure Boot certificates first deployed in 2011 will begin to expire in mid‑2026, and organizations that don’t update their trust chain risk losing the ability to receive security fixes for pre‑boot components — and in rare, poorly‑prepared environments, may...