Windows Now Flags Secure Boot Certificate Health as June Expiry Looms
Windows Now Flags Secure Boot Certificate Health as June Expiry Looms
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
Windows Now Flags Secure Boot Certificate Health as June Expiry Looms
Microsoft has quietly upgraded the Windows Security app with colour-coded badge indicators for Secure Boot certificate status — a proactive measure ahead of a certificate expiration wave that begins in June 2026.
Microsoft has begun rolling out a significant enhancement to the Windows Security app, adding visual indicators that clearly display whether a device’s Secure Boot certificates are current, in need of an update, or at risk. The change arrives as the company races to ensure users are informed well before a wave of certificate expirations that begins in June 2026.
The certificates in question were originally issued in 2011 and have now reached the end of their 15-year lifespan. While updated 2023 certificates have been distributed automatically via Windows Update since February 2026, millions of devices — particularly older hardware and enterprise machines subject to managed update policies — may not yet have applied them. The new status indicators are designed to surface that information clearly to both everyday users and IT administrators.
What’s Actually Changing in Windows Security
Previously, the Secure Boot section on the Device Security page in the Windows Security app showed only whether Secure Boot was enabled or disabled — a binary state that offered no insight into whether the underlying certificates were current. Starting in April 2026, Microsoft has enhanced that section with colour-coded badge icons and accompanying text that describe the device’s full certificate update status.
All required certificate updates have been applied and the updated Boot Manager is installed.
None. Your device is protected. Look for the full confirmation text to be certain.
Device is running an older certificate. Update may be paused due to compatibility issues or firmware limitations.
Ensure Windows Update is active. If paused for compatibility, Microsoft will resume automatically once resolved.
A security vulnerability affecting the boot process exists and cannot be delivered to the device’s current boot configuration.
Contact your device manufacturer for a firmware (UEFI) update. Hardware limitation may prevent automatic resolution.
A green checkmark alone does not confirm full certificate compliance. Microsoft advises users to also look for the specific text: “Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.”
Why Secure Boot Certificates Matter
Secure Boot is a firmware-level security mechanism that verifies digital signatures of software loaded during startup — including UEFI drivers and the Windows Boot Manager. By ensuring only trusted, Microsoft-signed code can execute before the operating system loads, it acts as the first line of defence against bootkits, a class of particularly dangerous malware capable of evading traditional antivirus software entirely.
The 2011 certificates underpin three components present on every Windows device with Secure Boot enabled: the Platform Key (PK), the Key Exchange Key (KEK), and database signatures. When these certificates expire, devices do not lose the ability to boot outright. Rather, they enter what Microsoft describes as a “degraded security state” — they lose the capacity to receive future boot-level security updates and will not trust third-party software signed with the newer 2023 certificates.
Rollout Schedule: Phase by Phase
Microsoft is staging the rollout across two phases, with availability tied to specific Windows versions and update channels.
Phase 1 begins on Windows 11 — Versions 23H2, 24H2, 25H2, and 26H1, along with Windows Server 2025, receive the update via an app update. Green and yellow badges become visible in Device Security > Secure Boot.
Phase 1 extends to Windows 10 — Versions 22H2, 21H2, and 1809, along with Windows Server 2019 and Server 2022 with Desktop Experience, receive the feature via a cumulative update.
Phase 2 launches — System-level alerts and notifications outside the Windows Security app begin appearing. Red (critical) badge states are introduced for devices that cannot be updated. Users in a red state can choose to dismiss warnings only by explicitly accepting the associated security risks.
Certificate expiry begins — The first 2011-era certificates begin to expire. Devices without updated certificates and an updated Boot Manager cannot receive future Windows boot-level security fixes.
What Most Users Need to Do
For the vast majority of consumers running supported versions of Windows 10 or Windows 11 on modern hardware, the answer is straightforward: nothing. As long as Windows Update is enabled and the device is connected to the internet, the required certificate updates will be applied automatically. Devices manufactured since 2024 are likely already updated.
For users whose Windows Security app shows a yellow badge, the recommended step is to check for and install pending Windows updates. In some cases, the update may have been temporarily paused due to hardware or firmware compatibility testing — Microsoft will resume the update automatically once those issues are resolved.
Users confronted with a red badge face a more complex situation. A red indicator means that a security vulnerability exists in the boot process that cannot be remediated on the device’s current configuration. In these cases, a firmware update from the device manufacturer may be required. If no such update is available, the device will remain in a limited security state for future boot-level protections.
Microsoft explicitly advises against toggling Secure Boot off and on, as doing so can reset firmware to its default state and erase the updated certificates — undoing any progress made by the automatic update process.
Enterprise and Managed Devices
The behaviour of the new indicators differs significantly in corporate and institutional environments. On enterprise-managed Windows 10 and Windows 11 devices, the Windows Security app and its notification service run normally and the status data is generated — but the badge indicators and notifications are disabled by default. IT administrators are expected to manage Secure Boot certificate rollout centrally using policy-driven tools, including Group Policy settings and the Windows Autopatch Secure Boot status report, rather than relying on per-user notifications.
Administrators who wish to surface the indicators to end users must explicitly enable the feature. Microsoft has published a dedicated IT Admin Guide alongside the user-facing documentation, and has released two dynamic updates — KB5081494 and KB5083482 — targeting setup binaries and the Windows Recovery Environment to assist enterprise deployments.
Windows Server editions handle this differently again. Even though the Windows Security app is present on Windows Server 2019, 2022, and 2025 with Desktop Experience, the notification service does not start automatically on Server. As a result, no badges or status updates appear unless a user manually launches the app — and even then, the new certificate status indicators remain disabled by default.
The Bigger Picture: Boot-Level Security in 2026
The certificate expiration is the single largest coordinated Secure Boot update in the technology’s history. It is also the mechanism that closes the door on BlackLotus, a UEFI bootkit vulnerability tracked as CVE-2023-24932, which has affected Windows systems since 2023. The updated 2023 certificates are a prerequisite for applying mitigations against that class of attack.
Microsoft’s decision to surface this information directly in the Windows Security app — rather than leaving it buried in command-line registry checks and Event Viewer logs — represents a meaningful step toward making firmware-level security legible to ordinary users. The colour-coded badge system, combined with the phased introduction of system notifications, gives consumers and administrators alike a clear, actionable view of their device’s security posture ahead of a deadline that carries real consequences.
Sources: Microsoft Support (Secure Boot certificate update status, April 2026); Microsoft Windows IT Pro Blog (Act now: Secure Boot certificates expire in June 2026, January 2026); Help Net Security (April 3, 2026); Windows Latest (April 3, 2026). For ongoing guidance, Microsoft maintains a Secure Boot certificate rollout landing page at aka.ms/GetSecureBoot.
