Microsoft will help older PCs avoid issues with outdated Secure Boot certificates by automatically updating them when transitioning to Windows 11

Microsoft will automatically replace obsolete Secure Boot certificates in Windows 11 by the end of this year

What Happens
* Automatic Update.

New security certificates used for boot verification (Secure Boot) will be deployed through regular Windows 11 OS updates. Users won’t need to do anything manually.

* Validity of Current Certificates.

Certificates issued in 2011 expire from June to October 2026. If they remain expired, the system will continue to operate, but protection levels will drop and compatibility risks may arise.

* Updating Older Hardware.

A new batch of certificates appeared in 2023 and is already included on most devices sold since 2024. However, older computers will require an update—either via standard Windows updates or, if necessary, through firmware from third‑party manufacturers (servers, IoT devices).

Why This Matters
* Cryptographic protection requires regular renewal.

As Microsoft spokesperson Nuno Costa noted in the company blog, removing outdated certificates and introducing new ones is “industry standard practice” that helps prevent old keys from becoming a vulnerability.

* Security Level.

If certificates remain expired, PCs will keep working but security will be reduced. This could limit future boot updates and cause compatibility problems with new hardware or software.

Technical Details
The update is implemented via the Windows 11 KB5074109 update released last month.
Automatic Mode: Most users will receive new certificates without action on their part.
Exceptions: Specialized systems (servers, IoT devices) may require separate firmware updates from third‑party manufacturers.

Thus, Microsoft ensures timely replacement of obsolete Secure Boot certificates, maintaining a high level of security and device compatibility for Windows 11 through the end of 2026.