KB5074110 – How to Apply the Windows 11 Setup Dynamic Update and Keep Secure Boot Happy
The new KB5074110 refreshes the boot files used by Windows 11 24H2 and 25H2, swapping an old 2011‑signed bootmgfw.efi for a fresh 2023‑signed version. It also pre‑loads the latest Secure Boot certificates that will start expiring in June 2026. This article shows exactly what the update does, why it matters for Secure Boot, and how to install it without triggering a dreaded “Secure Boot violation”.
What KB5074110 actually changes
- Replaces bootmgfw.efi with a copy signed by the Windows UEFI CA 2023 certificate.
- Updates the Secure Boot Signature Database (DB) on machines that already carry the 2023 certificate.
- Leaves the older 2011‑signed boot loader untouched on systems without the new cert—those will keep using the legacy file until the next roll‑out.
The goal is simple: make sure the boot manager can be verified by a certificate that won’t expire in a few months. If you’ve ever seen a “Secure Boot violation” screen after a BIOS reset, you’ll recognize why this matters.
Why the Secure Boot certificate expiration is a real pain point
Microsoft’s own docs warn that many OEMs shipped devices with certificates that roll over in June 2026. When the DB entry expires, the firmware refuses to hand control to bootmgfw.efi unless it finds a newer signature. The result? A black screen and an error code that looks like something out of a sci‑fi movie.
Quick sanity check: Do you need this update?
- Running Windows 11 24H2 or 25H2? – If yes, the update applies.
- Using Secure Boot? – Absolutely. The update only touches machines that already have a valid 2023 cert in their DB.
- Seeing “Secure Boot violation” after a recent BIOS flash? – You probably need the new boot manager and a recovery USB ready to go.
If any of those boxes are ticked, push KB5074110 now rather than waiting for Windows Update to silently drop it later in the year.
How to install KB5074110 (no reboot required)
- Open Settings → Windows Update and click Check for updates.
- The update appears as “Setup Dynamic Update for Windows 11, version 24H2/25H2”.
- Click Download and install.
- Because the package only swaps a boot file and updates the certificate store, Windows won’t ask for a restart.
- Verify installation: run dism /online /get-packages | findstr KB5074110 in an elevated Command Prompt.
The update runs as a “Setup Dynamic Update”, meaning it modifies the files that the next feature‑update setup will use, not the live OS binaries. That’s why no reboot is needed.
When things go sideways – handling Secure Boot violations
If you’ve ever cleared the DB (e.g., after resetting BIOS to defaults) or toggled Secure Boot off and on again, Windows may refuse to boot because it still expects the old 2011‑signed bootmgfw.efi. The fix is to create a Secure Boot recovery USB before you start playing with firmware settings:
- Insert a blank USB stick (at least 8 GB).
- Run securebootrecovery.exe /create /target:C: – replace C: with the drive letter of your USB.
- Keep that stick handy; if the system refuses to boot, you can launch it from the firmware’s boot menu and restore a working DB entry.
The recovery tool isn’t flashy, but it saves an afternoon of digging through OEM support forums.
Server note – Windows Server 2025 is out of scope
Microsoft stripped Windows Server 2025 from this roll‑out. If you manage servers, ignore KB5074110; the same Secure Boot certificate refresh will arrive in a separate server‑only update later this year.
TL;DR checklist
- Running 24H2/25H2 with Secure Boot? Install KB5074110 via Windows Update now.
- Did you reset BIOS recently? Build a recovery USB before toggling Secure Boot again.
- No reboot needed, but double‑check the package appears in dism output.
Stay ahead of the June 2026 certificate deadline and keep those machines booting without drama.
