Microsoft is moving to blunt a potentially messy Secure Boot certificate transition by putting the answer directly into Windows Security. Starting in April 2026, Windows devices can surface a Secure Boot status indicator under Device security so users can see whether their PC has received the updated certificates, whether action is needed, or whether the device is stuck in a
degraded security state. That matters because the original Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026, and machines that miss the update path may lose future boot-level protections even if Windows itself keeps running normally.
Background
Secure Boot has been part of the UEFI-era Windows trust model for years, but the underlying certificates were never designed to last forever. Microsoft’s support guidance says the current certificates, including the
Microsoft Corporation KEK CA 2011,
Microsoft Windows Production PCA 2011, and
Microsoft UEFI CA 2011, begin expiring in June 2026 and will be fully past their useful life by October 2026. Those certificates anchor the chain of trust that helps validate firmware-stage code before Windows loads, which is exactly why the expiration is a bigger deal than a routine patch cycle.
The practical problem is simple: many PCs can still boot after the certificates expire, but they may no longer be able to receive new protections for the early boot process. Microsoft says affected devices can keep starting and operating, and ordinary Windows updates can continue, but boot-chain protections, revocation updates, and some future mitigations may no longer be serviceable. In other words,
the machine still works, but it may stop being fully defensible.
That is why the new Windows Security status page is significant. Microsoft says the feature began rolling out in April 2026 and sits in Windows Security > Device security > Secure Boot. The interface shows a badge-based status model: green for updated, yellow for a recommended action, and red for a device that cannot receive the new certificates. Microsoft also says more prominent notifications will arrive starting in May 2026, including alerts outside the app.
There is also a major Windows version wrinkle. Microsoft ended free support for Windows 10 on October 14, 2025, which means unsupported systems are already in a fragile security posture. Microsoft has said Windows 10 devices that are not enrolled in Extended Security Updates will not receive the new Secure Boot certificates, while Windows 10 ESU systems and Windows 11 systems should get them automatically through regular updates. That makes the certificate issue both a security story and a lifecycle story.
Why this transition is different
This is not a typical “install the latest cumulative update” situation. The certificates are embedded in a trust framework that can involve firmware, motherboard vendors, and Windows Update all at once. Microsoft says many devices will be managed automatically, but some systems may need a separate firmware update from the OEM before the new certificates can be loaded. That split explains the yellow status: it is not an error, but a
dependency warning.
The other wrinkle is that expiration does not mean immediate failure. Microsoft’s guidance makes clear that devices can continue to boot and Windows updates can continue to install. The real risk is that future boot-level security fixes may no longer be deliverable once the trust chain has aged out. That nuance matters, because users may otherwise assume an expired certificate means a dead PC, when the actual problem is more gradual and more dangerous precisely because it is less visible.
What Microsoft is actually rolling out
Microsoft’s new Secure Boot status display is designed to make a hidden infrastructure issue visible to ordinary users. The support page says the Windows Security app will show whether the device has received the certificate updates, whether a recommendation exists, and whether action is required. That is a notable shift from the usual Windows security posture, which often assumes that only IT administrators will ever need to understand firmware trust chains.
The three status badges
The new interface uses three obvious states.
Green means the device has the needed updates.
Yellow means Microsoft recommends action, such as a firmware update.
Red means the device cannot receive the updated certificates in its current configuration and may be unable to accept future boot-level protections. The red state is especially important because Microsoft says it appears only when a relevant boot-process vulnerability is discovered and cannot be serviced on devices that have not received the new certificates.
That design is smart, but it also hints at the underlying difficulty. Users do not need a lecture about PKI, DB, DBX, or KEK; they need a simple yes-or-no answer about whether their machine is protected. The badge system compresses a lot of technical state into a readable cue, which is exactly what consumer-facing security UI should do. The challenge is that the right answer may still require an OEM firmware update, not just a Windows update.
What the status message means
Microsoft says the app will also show detailed status text explaining what to do next. One message tells users that Secure Boot is on but the device does not support the automated certificate update due to hardware or firmware limitations, and another says the device can no longer receive required updates for the Windows boot experience. That extra detail is useful because
“update available” and
“your motherboard needs new firmware” are not the same thing at all.
For enterprises, this will probably be more useful than for casual users at first. Admins can translate the badge into remediation workflows, but a home user may simply need the app to tell them to update Windows, check their OEM support page, or contact the manufacturer. Microsoft’s messaging is intentionally non-technical, which lowers the bar for action and reduces the odds that people will ignore the issue until June.
Who gets updated automatically
Microsoft says most Windows 11 systems and Windows 10 devices enrolled in Extended Security Updates should receive the new certificates automatically through normal monthly Windows servicing. That is the best-case path, and for many users it should feel invisible, which is exactly how security infrastructure should behave when it is functioning properly. The company also says many OEMs will deliver the needed firmware updates where required.
Windows 11 versus Windows 10
The split between Windows 11 and Windows 10 is where this becomes politically interesting. Windows 11 machines are more likely to be on a supported servicing path, while Windows 10 systems are more likely to be sitting on older hardware that may never make the jump. Microsoft’s own guidance notes that unsupported Windows 10 devices will not receive the new certificates, which leaves those systems exposed to a security transition they cannot complete.
That is not merely a technical constraint; it is a migration pressure. A lot of users stayed on Windows 10 because their hardware was too old for Windows 11, because they preferred not to change, or because the PC still did what they needed. The Secure Boot certificate issue gives Microsoft another reason to push those users into either ESU coverage or a hardware refresh, even if the machine appears perfectly serviceable today.
ESU as a safety net
The Extended Security Updates program is therefore more than a temporary patch bridge. Microsoft told PCMag that the new Secure Boot status indicator is arriving only for Windows 10 ESU PCs, which means ESU enrollment becomes the difference between being informed and being left in the dark. For users on Windows 10, ESU is now doing triple duty: buying time, preserving update flow, and helping keep the boot trust chain current.
That makes ESU feel less like a luxury and more like a managed risk plan. If you are still on Windows 10, the question is no longer just whether you can keep getting security fixes; it is whether your machine can stay in the trust envelope that Secure Boot depends on.
That is a subtle but important change in the economics of staying put.
Why Secure Boot still matters
Secure Boot is one of those features most people never notice until something goes wrong. It helps ensure that only trusted software runs during the boot sequence, which protects against malware that can hide below the operating system and survive reinstalls. Microsoft’s own guidance emphasizes that the update is about preserving the ability to verify trusted boot software, not just about satisfying a checkbox in settings.
The boot chain is a high-value target
Attackers love the boot chain because it sits underneath many traditional endpoint defenses. If malicious code can implant itself early enough, it may persist through OS repair, avoid routine antivirus visibility, and complicate incident response. That is why a certificate expiration in the boot trust path is such an awkward security story: the issue sounds niche, but the risk surface is broad.
The new certificates are meant to prevent that trust chain from going stale. Microsoft says the newer 2023 certificates are being rolled out so devices can keep receiving updates to the Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities. In practical terms, this keeps future security work possible, not just current protections intact.
Enterprise implications are sharper
For enterprises, the impact is more severe because Secure Boot is often part of compliance and device-hardening baselines. Microsoft notes that devices that fail to update may be out of security compliance, and the guidance specifically references future support for management through Group Policy. That suggests the company expects corporate IT teams to track the issue centrally rather than relying on individual users to self-remediate.
There is also a mixed fleet problem. Large organizations often run Windows 11, Windows 10 ESU, and special-purpose or offline systems side by side. The certificate transition may be smooth for mainstream office PCs, but the devices most likely to trip over firmware limitations are also the devices least likely to be easy to replace.
That is where the support burden will land.
What the new support page actually says
Microsoft’s support article is unusually explicit about timing. It says the Windows Security app enhancements began rolling out in April 2026, and that beginning in May 2026 users should also see notifications outside the app. It even warns that the red “requires action” state could appear as early as June 2026, when some of the current certificates begin to expire.
Timing matters more than most users think
That timeline means users are being given a short runway. Microsoft is not waiting until certificates fail to work before surfacing the issue; it is front-loading the warning so there is time for firmware updates, Windows servicing, and OEM escalation. That is good product design, but it also reveals how constrained the remediation path is.
The timing also tells us Microsoft is trying to avoid a “surprise security sunset” moment in June. By adding the status page in April and broader alerts in May, the company is effectively creating a staged awareness campaign inside Windows itself.
That is a notable admission that documentation alone would not have been enough.
Why the dashboard lives in Windows Security
Placing the indicator in Windows Security is a good call because that is where users already expect device protection signals to live. The Device security page already covers hardware-backed protections such as TPM-related status, core isolation, and other system security features. Secure Boot fits naturally there, even if the certificate mechanics behind it are anything but natural for the average user.
This is also a messaging improvement. If a user sees a warning in a general settings area, it may feel optional or obscure. If the warning appears in Windows Security, it carries an implied urgency that better matches the actual risk. In a feature like this, placement is part of the security model.
What to do if your PC is affected
The guidance is more straightforward than the underlying architecture. If Windows Security shows green, you are in the best position and should keep taking regular Windows updates. If it shows yellow, Microsoft is effectively telling you to look for a firmware or OS update from your device maker or through Windows Update. If it shows red, you need to treat the machine as unable to receive the next layer of boot trust protections.
A practical user checklist
- Open Windows Security.
- Go to Device security.
- Check the Secure Boot status badge.
- Install the latest Windows updates.
- Check your PC or motherboard maker for firmware updates.
- If you are on Windows 10, confirm whether you are enrolled in ESU.
- If the device is unsupported, plan for replacement or migration.
That sequence may sound ordinary, but it is actually the shortest path through a deeply layered trust issue. The point is not just to “have Secure Boot on,” but to keep the certificates, firmware, and OS servicing aligned. If any one of those legs is missing, the whole stool starts wobbling.
Consumer advice versus business advice
For consumers, the first step is almost always to update Windows and then check the OEM support app or support page. For businesses, the first step should be inventory: identify which machines are enrolled in ESU, which are on older firmware, and which are likely to fail the automatic path. The remediation will be similar, but the decision-making is very different.
Businesses should also be wary of assuming that “still booting” equals “secure enough.” Microsoft is clear that devices can continue operating while silently losing future early-boot protections. That means the real deadline is earlier than the user-visible failure point, which is one reason security teams should treat the April and May notifications as actionable, not advisory.
Competitive and ecosystem implications
This certificate expiration story is bigger than Microsoft alone because it touches the whole Windows hardware ecosystem. OEM firmware teams, motherboard vendors, enterprise imaging tools, and device lifecycle planners all have a role in getting devices from the old trust model to the new one. A clean transition would reinforce Windows’ reputation as a managed platform; a messy one would highlight how much hidden complexity still sits under “modern PC security.”
Pressure on OEMs and motherboard vendors
The yellow badge is effectively a nudge to the hardware ecosystem. Microsoft says some devices need a separate firmware update before the new certificates can be loaded, which means support quality from OEMs will directly influence security outcomes. Users may blame Windows when the real bottleneck is vendor firmware availability or retirement of support for older boards.
That creates a reputational test for PC makers. The industry has already spent years trying to convince buyers that firmware updates are no longer rare or dangerous; now it needs to prove that point at scale. If an OEM is slow, vague, or absent, the red and yellow badges will turn into visible evidence of poor after-sales support.
The Windows 11 upgrade narrative
There is also a subtle Windows 11 sales effect. Microsoft does not have to say “upgrade your PC” directly; the certificate issue does some of that work for it. Users on aging Windows 10 hardware who are not in ESU are being told, in effect, that their platform may eventually lose the ability to receive boot-chain protections, which makes a hardware refresh feel more like a security necessity than a preference.
That does not mean Microsoft is using fear as a blunt instrument. The company is responding to a real cryptographic lifecycle problem. But from a market perspective, the result is the same: the Secure Boot transition reinforces the split between supported modern PCs and legacy systems that can no longer keep pace with the security baseline.
Strengths and Opportunities
Microsoft’s approach has several strengths, and the biggest is visibility. By surfacing Secure Boot certificate status in Windows Security, the company is turning an obscure backend issue into a user-facing prompt that can actually drive action. That is better than hoping people read patch notes or support articles, and it makes the transition much more manageable across millions of devices.
It also gives Microsoft and OEMs a shared remediation window before the deadlines bite. That window is crucial because a boot-trust transition can require Windows updates, firmware updates, and in some cases organizational policy changes. The earlier users know, the more likely they are to remain in a
trusted boot state instead of drifting into a quietly weakened configuration.
- Gives users a clear, actionable status instead of vague warnings.
- Helps prevent a last-minute rush in June 2026.
- Encourages firmware updates while there is still time.
- Lets enterprises map exposure before enforcement gets stricter.
- Reduces the chance of blind spots on older systems.
- Strengthens the Windows Security app as a central trust dashboard.
- Makes certificate lifecycle management visible to non-specialists.
Risks and Concerns
The biggest risk is that many users will misunderstand the warning or ignore it because the PC still seems fine. Microsoft is clear that devices can continue booting even when they are no longer able to receive future boot protections, and that creates a dangerous illusion of safety.
A working PC is not necessarily a protected PC.
Another concern is fragmentation across firmware vendors and older hardware. If too many devices need special handling, the rollout could become uneven, with some users seeing green badges and others getting stuck on yellow or red for reasons they cannot easily fix. That is especially likely on older Windows 10 machines that are already outside mainstream support.
- Users may mistake “still boots” for “fully secure.”
- Older hardware may never receive the required firmware support.
- Windows 10 non-ESU users are likely to be left behind.
- OEM support quality will heavily influence outcomes.
- Enterprises may face inventory and remediation complexity.
- Confusing status messages could lead to inaction.
- Red badges may create support-ticket spikes if rollout is uneven.
Looking Ahead
The next few months will show whether Microsoft’s new status system can do what documentation alone rarely does: change behavior. If the app is clear, timely, and paired with reliable firmware delivery, many users will likely never experience a problem. If not, the June 2026 certificate expiration could become a quiet but meaningful security event for legacy Windows systems.
The most interesting metric to watch is not whether Windows keeps booting, but how many devices remain on the old certificates by the time the first expirations hit. A low percentage would suggest Microsoft’s update machinery and OEM coordination worked as intended. A high percentage would imply that the Windows ecosystem still has serious friction where firmware, servicing, and lifecycle management intersect.
- April 2026 rollouts of the status indicator across supported PCs.
- May 2026 expansion to notifications outside Windows Security.
- June 2026 start of certificate expirations for some devices.
- OEM firmware updates for machines that need a separate path.
- Wider adoption of Windows 10 ESU among holdout users.
- Enterprise remediation tracking across mixed hardware fleets.
The broader lesson is that modern PC security is increasingly a lifecycle problem, not just a patching problem. Secure Boot certificates expiring after more than a decade is not a bug; it is the natural end of a trust chain that needs renewal. What matters now is whether Microsoft, its partners, and users can make that renewal feel routine before it becomes a visible failure.
Source: PCMag
Windows Secure Boot Certificates Expire in June. How to Verify Your PC Is Updated