This unprecedented move by Microsoft signals a significant change in how Windows PCs will manage their security protocols. The company is set to expire the authentication certificates that safeguard devices from potential threats upon each restart. These Secure Boot certificates, which have been in place since 2011, will soon be replaced as part of an initiative that begins this month, coinciding with April’s security update.
Understanding the Update Process
Initially, Microsoft indicated that users could verify the successful installation of the update starting in April 2026. However, this guidance has been revised. The company now clarifies that the update and its corresponding status check may not appear immediately on all PCs. Instead, it assures users that the update will be installed on all devices by the end of April 2026.
This update serves a dual purpose: it installs new certificates and confirms whether any user action is necessary. To check the current status of Secure Boot, users can navigate to Windows Security > Device security > Secure Boot. Here, Microsoft provides a visual cue through a badge system—green, yellow, or red—indicating the current Secure Boot status. A red icon signifies that immediate attention is required.
Potential Risks and User Awareness
According to Windows Latest, Secure Boot certificates play a crucial role in validating boot software. If these certificates expire, users may face exposure to boot-level malware, commonly referred to as bootkits, or even unauthorized modifications to their systems. While the timeline for the expiry of Secure Boot certificates has been communicated by Microsoft for some time, the specifics have often remained unclear to the average user.
Although the inclusion of new security certificates in the standard monthly update appears to be a prudent strategy, many users remain unaware of its implications. For those who wish to verify whether the Secure Boot 2023 certificate has been applied to their systems, Windows Latest suggests utilizing PowerShell commands or Event Viewer logs. However, this process may not be familiar to the average user, which is why Microsoft is enhancing the visibility of Secure Boot certificate status within Windows Security.
Next Steps for Users
There’s no need for alarm if you haven’t yet received the update; the certificates will not expire for several more weeks. It is advisable to check and ensure your system is updated by the end of the month to avoid any oversight. Should any action be required, allowing yourself ample time to address it is prudent.
Check your PC by the end of this month.
NurPhoto via Getty Images
By the end of April, users should expect to see the updated verification under the “Secure Boot” section within the ‘Device Security‘ tab in Windows Security. Microsoft elaborates that the previous icons and text guidance merely indicated whether Secure Boot was enabled or disabled. The enhancements will now provide users with crucial information regarding the status of Secure Boot certificate updates.
