Microsoft's Critical Windows Secure Boot Patch Closes Bootkit Exploits

Microsoft’s latest Patch Tuesday delivers a must-install fix that refreshes expiring Secure Boot certificates on Windows devices, closing a window that bootkit malware could exploit to take control of a PC before the operating system even loads. If you do one update this week, make it this one. Why This Patch Matters for Windows Security Bootkits attack the earliest stage of your computer’s startup chain, gaining persistence below the operating system where many security tools can’t see them. Once embedded, they can subvert trusted bootloaders, mask malicious changes, and survive reinstalls. Security teams have been on alert since real-world bootkits like BlackLotus demonstrated reliable exploitation of UEFI boot processes; researchers at ESET confirmed in-the-wild deployments, while CISA and the Microsoft Security Response Center have warned repeatedly that pre-boot compromises are among the hardest to detect and remediate. Secure Boot is the countermeasure: it checks cryptographic signatures on firmware and bootloaders, allowing only trusted components to run. But that trust depends on certificates and revocation lists that must be kept current. When those certificates age out, devices risk either refusing legitimate boot components or, worse, continuing to trust outdated ones that attackers can abuse. The new cumulative updates—KB5074109 for Windows 11 and KB5073724 for Windows 10—refresh Secure Boot certificate trust so Windows devices continue to validate known-good bootloaders and reject revoked ones. Microsoft notes that the Secure Boot certificates used by most Windows devices are set to expire in mid-2026, and that without these updates Secure Boot–enabled systems could fail to boot securely or stop trusting new boot components. In Microsoft’s own advisory, the company cautions that devices without the update risk compromising both serviceability and security. This isn’t the first time Secure Boot trust has needed a tune-up. Past incidents such as BootHole in GRUB2 required broad certificate and revocation updates to prevent tampered bootloaders from loading. The current refresh is preventive maintenance on that same trust chain—done now to avoid a scramble later. Who Should Install This Secure Boot Certificate Refresh Short answer: everyone running a supported version of Windows 10 or Windows 11. While Microsoft’s guidance often targets IT and security administrators managing fleets, the risk model applies equally to home users. Bootkits tend to show up first in targeted attacks, but once techniques mature they trickle down fast. Keeping Secure Boot’s certificates current ensures your system remains eligible for future security updates and continues to validate trusted bootloaders. Organizations with compliance requirements, high-value endpoints, or devices exposed to travel and untrusted peripherals should treat this as a priority. Past campaigns like TrickBoot, a module associated with TrickBot, probed systems for vulnerable firmware settings—reminding defenders that pre-boot weakness is prized by adversaries. Open Settings, go to Windows Update, and check for updates. On Windows 11 look for KB5074109; on supported Windows 10 systems look for KB5073724. Install, restart, and let the update complete. If you manage devices centrally, ensure your update rings or WSUS policies are greenlighting these packages across the estate. After installation, confirm that Secure Boot is enabled. Press Start, type “System Information,” and open it; under System Summary, find Secure Boot State. It should read On. If it’s Off and you have modern hardware, enable Secure Boot in UEFI firmware settings, typically under Security or Boot. Note that Secure Boot requires UEFI mode, not legacy BIOS, and turning it on may require disabling legacy or CSM boot options. Extra Hardening Steps to Strengthen System Defenses Keep firmware up to date using your OEM’s update utility or Windows Update for Business if your vendor participates in firmware delivery. Ensure BitLocker is enabled to protect data at rest, and consider virtualization-based security features that isolate critical processes from tampering. Finally, limit unsigned or untrusted boot-time drivers; driver signing enforcement and controlled device installation policies help reduce pre-boot risk. Bootkits thrive in the shadows before Windows loads, and Secure Boot is your flashlight. Microsoft’s latest updates renew that trust so your PC keeps booting safely and keeps receiving security fixes. Install the update today, verify Secure Boot is on, and stay ahead of attackers who would love to meet your machine before Windows does.