About the Author
If you’ve seen headlines about Microsoft “changing Windows Update after 15 years,” here’s the simple truth: Microsoft is updating a behind-the-scenes security component that helps protect your PC before Windows even loads. It’s important, it’s time-bound, and, done right, it’s mostly painless.
What’s Happening (In Plain English)
Starting in April 2026, Microsoft has also been surfacing a status indicator in the Windows Security app so that users (and IT teams) can more easily see whether the Secure Boot certificate updates are in place.
Most Windows devices rely on Microsoft Secure Boot certificates that were originally issued in 2011, and those certificates begin expiring in June 2026.
To stay protected, Microsoft is rolling out a newer set of 2023 certificates through Windows updates.
Why You Should Care (And Why It’s Not “Optional”)
Here’s the part that catches people off guard: if your device doesn’t get the new certificates, it will still boot and seem fine.
But over time, it will become less able to receive new protections for the earliest (most sensitive) part of startup, things like Secure Boot database updates, revocation lists from Certificate Authorities, and fixes for newly discovered vulnerabilities in the startup process.
Your device may keep running, but it will be gradually falling behind on a critical layer of defense.
What You’ll See: New Messages and a Status Check
Microsoft is adding Secure Boot certificate update status into Windows Security > Device security > Secure Boot.
You may see badges and guidance text about whether your device is fully updated or needs attention.
The Shortlist: What We Recommend You Do This Week
- Make sure Windows updates are actually installing
If updates are paused or devices aren’t on a supported Windows version, this can stall the certificate rollout. Microsoft’s guidance for most users is straightforward: keep devices up to date and don’t pause updates. One thing to watch: A “good” Secure Boot state isn’t the same as “all certificate updates applied.” Microsoft emphasizes looking at the full status guidance, not just a generic “Secure Boot is on” signal. - Check the Secure Boot status where Microsoft is now showing it
Open Windows Security > Device security > Secure Boot and review the Secure Boot certificate update status messaging. - Don’t “fix” this by disabling Secure Boot
Microsoft explicitly warns against disabling Secure Boot as a workaround because it reduces protection and creates new risk. - Plan for older devices (and Windows 10 realities)
The rollout is designed to be automatic for most supported devices, but some systems may need OEM firmware updates to apply the new certificates correctly.
Also, Windows 10 reached end of support on October 14, 2025, and Microsoft points customers to Extended Security Updates (ESU) for continued security updates (which matters for receiving security-related improvements like these).
Bottom Line
This isn’t hype; it’s a real certificate lifecycle event with a hard deadline. The good news is that Microsoft is pushing updates early and adding clearer visibility so you can confirm you’re covered. Stay current on updates, check the Secure Boot status, and don’t wait until June.
