Understanding the Upcoming Changes to Secure Boot Certificates
The Unified Extensible Firmware Interface (UEFI) on Windows PCs plays a crucial role in safeguarding the startup process by utilizing Secure Boot certificates. These certificates, which have been in place since their issuance in 2011, are approaching their expiration date in late June 2026. In anticipation of this, Microsoft has initiated a discreet rollout of updated certificates through Windows Update, ensuring that users remain protected as the deadline approaches.
Beginning in April 2026, users will have the ability to monitor the status of their devices through a new feature in the Windows Security app. By navigating to Device security and selecting Secure Boot, users will encounter a color-coded badge system that indicates their device’s update status. This intuitive system is designed to provide clear guidance on whether a device is fully updated, awaiting an update, or in need of immediate attention.
- Green Checkmark: This badge signifies that the new certificates are successfully installed, and no further action is required from the user.
- Yellow Caution Badge: Expected to appear in May 2026, this badge indicates that the update is either pending or has been obstructed due to hardware or firmware limitations.
- Red Stop Icon: The most critical status, which may emerge as early as June 2026, alerts users that older certificates are expiring. At this point, devices will be unable to receive essential boot-level security updates.
This status is also reflected in the Windows Security system tray icon, ensuring that users are alerted even when the app is not actively open. For the majority of users, the update process is seamless; simply keeping Windows Update enabled is sufficient. Devices manufactured in 2025 are predominantly covered, with many from 2024 also addressed. Older machines will receive updates gradually, with major Original Equipment Manufacturers (OEMs) providing necessary firmware guidance.
For those who encounter difficulties, Microsoft has established a support resource at aka.ms/getsecureboot. While it is technically feasible to ignore the yellow or red warnings, Microsoft strongly advises against this course of action. Devices lacking the updated certificates may find themselves in a compromised security state, increasing their vulnerability to boot-level exploits and potentially leading to incompatibility with future Windows security patches.
