Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Secure Boot protects your PC against bootkit malware.
- The Windows update refreshes expiring Secure Boot certificates.
- To install, head to Settings and select Windows Update.
I typically advise Windows users to install each new monthly Patch Tuesday update for the security fixes alone. But the January update is one you’ll especially want to snag. That’s because it will keep your PC protected against a nasty form of malware.
Bootkit malware aims to infect your PC before Windows and your security software even load. To guard against these threats, Secure Boot is a security feature that relies on certificates to ensure that only trusted programs kick off during the boot process. Now, those certificates are soon to expire. And that’s where the latest Windows update comes into play.
Launched on Tuesday, KB5074109 for Windows 11 and KB5073724 for Windows 10 include a variety of fixes. But the most important one is the refresh for the Secure Boot certificates. With those certificates due to expire in June, the latest updates replace the expiring ones with fresh new ones that promise to last for a long time.
Also: Is turning off Windows Security a bad idea in 2026? A PC expert’s bottom line
“Secure Boot certificates used by most Windows devices are set to expire starting in June 2026,” Microsoft said in its support advisories. “This might affect the ability of certain personal and business devices to boot securely if not updated in time.”
On its page on Windows Secure Boot certificate expiration, Microsoft added that “without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders, which will compromise both serviceability and security.”
Also: 9 things I always do after setting up Windows 11 – and why you should too
Microsoft’s recommendations are directed toward IT and security administrators who need to maintain a large fleet of computers at their organizations. But the advice applies equally to home and personal Windows users.
To update your PC with the January fixes, head to Settings and select Windows Update. The latest update should already be ready to install. If not, click the button to check for updates and allow it to run. Windows 11 users will see the update as KB5074109, while those on Windows 10 registered to still receive updates will spot it as KB5073724.
As long as you have a relatively modern computer, Secure Boot should already be active as it’s part of the UEFI (Unified Extensible Firmware Interface) standard. But if you want to double-check, read my article on how to enable the feature.
Featured
Editorial standards