Windows January update refreshes Secure Boot certificates to block bootkit malware

Microsoft's January Patch Tuesday update replaces expiring Secure Boot certificates on Windows PCs to help protect against bootkit malware that can load before Windows and security software.

Secure Boot uses certificates to ensure only trusted programs run during the boot process, and those certificates are set to expire starting in June 2026, Microsoft said in its support advisories. The January updates refresh the expiring certificates with new ones intended to last for a long time.

The updates, launched on Tuesday, appear as KB5074109 for Windows 11 and KB5073724 for Windows 10. To install them, go to Settings and select Windows Update; if the update does not appear, click the button to check for updates and allow it to run.

Microsoft warned that "without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security." The vendor's recommendations are aimed at IT and security administrators but also apply to home users; Secure Boot is typically active on relatively modern PCs as part of the UEFI standard, and users can double-check their settings if needed.

Key Topics

Tech, Microsoft, Secure Boot, Uefi, Bootkit Malware